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(54) DATA CONVERTER AND RECORDING MEDIUM ON WHICH PROGRAM FOR EXECUTING DATA 
CONVERSION IS RECORDED 



to 

O 



(57) A plurality of round processing parts (38) 

are provided each of which contains a nonlinear 
function part (304), and each nonlinear function part 
(304) comprises: a first key-dependent liner 
transformation part (341) which performs a linear 
transformation based on a subkey; a splitting part 
(342) which splits the output from the first key- 
deT^endent linear transformation part into n pieces of 
strata; a first nonlinear transformation part (343) 
whicf nor linearly transforms those pieces of subdata, 
respectively; a second key-dependent linear 
transformation part (344) which linearly transforms 
those nonlinearly transformed outputs based on a 
subkey and outputs n pieces of transformed subdata; a 
second nonlinear transformation part (345) which 
nonlinearly transforms those transformed subdata; and 
a combining part (346) which combines the nonlinearly 
transformed outputs. An n * n matrix, which 
represents the linear transformation in the second key- 
dependent linear transformation part (344), is formed 
by n vectors whose Hamming weights are equal to or 
larger than T-1 for a security threshold T, thereby 
increasing the invulnerability against differential 
cryptanalysis and linear cryptanalysis. 
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Description 



TECHNICAL FIELD 

[0001] The present invention relates to a transformation device that is used in a cryptographic device for 
concealing data in data communication or storage and, more particularly, to a data transformation device suitable 
5 for use in an encryption device of a secret-key encryption algorithm which encrypts or decrypts data blocks using a 
secret key, and a recording medium on which there is recorded a program for execution by the data transformation 
device. 

PRIOR ART 

10 [0002] With a view to constructing a fast and secure secret-key encryption algorithm, a block cipher is used 
according to which data for encryption is split into blocks of a suitable length and encrypted for each block. 
Usually the block cipher comprises a data diffusion part which randomizes input data to be encrypted, and a key 
scheduling part which is supplied with a secret common key (hereinafter referred to as a master key) input to the 
encryption device and generates a sequence of subkeys for use by the data diffusion part. A typical secret-key 

15 encryption algorithm, which is used in the data transformation device to conceal data, is DES (Data Encryption 
Standard) that was Fl PS-approved algorithm for encryption. 

[0003] Fig. 1 illustrates the functional configuration of DES. DES uses a 64-bit secret key (8 bits being used 
for parity) and encrypts or decrypts data in blocks of 64 bits. In Fig. 1 the encryption process is executed in a 
data diffusion part 10, which begins with initial permutation of 64 bits of a plaintext M in an initial permutation 
part 11, followed by splitting the permuted data into two pieces of 32-bit block data L 0 and R 0 . The block 

20 data R 0 is input to a function operation part (referred to also as a round function) 12 which is a data 
transformation part shown as an i-th round processing part -14^] = 0, 1, .... 15) in Fig. 2, wherein it is 
transformed to f(R 0 , k 0 ) using a 48-bit subkey k 0 . The thus transformed data f(R 0 , k 0 ) and the block data L 0 are 
exclusive ORed in an XOR circuit 13, and its output and the block data R 0 are swapped to obtain the next block 
data L v R v That is, 

25 R^Lo©^, k 0 ) 

Li = Ro 
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where ©represents an exclusive OR. A 0-th round processing part 14 0 comprises the function operation part 12 
and the XOR circuit 13 and swaps the two pieces of block data to provide the two pieces of output block 
data L^nd similar round processing parts 14 n to 14 15 are provided in cascade. The processing by the i-th 

round . processing part 14j will hereinafter be referred to as i-th processing, where i = 0, 1 15. That is, 

each round processing part 14 ( (where 0 < i < 15) performs the following processing 

R^L^UR,^) 



L i+1 = R. 



And finally concatenation two pieces of data R 16 and L 16 into 64-bit data, which is permuted in a final permutation 
part 15 to provide a 64-bit ciphertext. Incidentally, the operation of the final permutation part 15 corresponds to 
an inverse transform of the operation of the initial permutation part 11. 

[0004] The decryption process can be executed following the same procedure as that for the encryption 

process except inputting subkeys k 0 , k 1 k 14 , k 15 to the function f (the function operation part 12) in the 

order k 15 , k 14 k v k 0 which is reverse to that in the encryption process. In such an instance, the outputs L 16 and 

R 16 from'the final round processing part 14 15 are further swapped as depicted, and in the decryption process the 
ciphertext is input to the initial permutation part 11 for execution of the process of Fig. 1, by which the 
plaintext is provided intact at the output of the final permutation part 15. fn a key scheduling part 20 an expanded 
45 key generation part 16: splits a master key of 64 bits, except 8 bits used for parity, into two pieces of 28-bit 
right and left key data; then performs 16-round swapping of the two pieces of 28-bit right and left key data; and 
performs reduced permutation of the permuted right and left data (a total of 56 bits) provided from the respective 

rounds to generate 16 48-bits subkeys !<<,, k 1 k 14 , k 15 which are provided to the corresponding round processing 

parts of the data diffusion part 10. . 
[0005] The processing in the function operation part 12 is performed as depicted in Fig. 2. To begin with, the 
32-bit block data R- is transformed to 48-bit data E(Rj) in an expanded permutation part 17. This output data and 
the subkey k- are exclusive ORed in an XOR circuit 18, whose output is transformed to 48-bit data EfRj)©^, which 
is then split to eight pieces of 6-bit sub-block data. The eight pieces of sub-block data are input to different S- 

boxes S 0 to S 7 to derive therefrom a 4-bit output, respectively. Incidentally, the S-box S j (where j =0, 1 7) is 

a nonlinear transformation table that transforms the 6-bit input data to the 4-bit output data, and is an essential 
55 part that provides security of DES. The eight pieces of output data from the S-boxes S 0 to S 7 are concatenated 
again to 32-bit data, which is applied to a permutation part 19 to provide the output f(R r k t ) from the function. 



operation part 12 as shown in Fig. 2. This output is exclusive ORed with L, to obtain R i+1 . 

[0006] Next, a description will be given of cryptanaiysis techniques. A variety of cryptanalysis techniques 
have been proposed for DES and other traditional secret-key encryption algorithms; extremely effective 
cryptanalysis techniques among them are differential cryptanalysis proposed by E. Biham and A. Shmir, 
("Differential Cryptanalysis of DES-like Cryptosystems," Journal of Cryptology, Vol. 4, No. 1, pp. 3-72) and liner 
cryptanalysis proposed by Matsui, ( "Liner Cryptanalysis Method for DES cipher," Advances in Cryptology- 
EUROCRYPT* 93 (Lecture Notes in Computer Science 765), pp. 386-397.) 
[0007] Assuming that a difference between two pieces of data X and X* is defined as 

ax = x ex* f 

differential cryptanalysis aims to obtain the subkey k 15 in the final round processing part 14 15 by applying to the 
following equations two sets of plaintext-ciphertext pair that an attacker possesses. In the encryption process of 
Fig. 1, let (L i( R ; ) and (L% R* f ) represent input data into the round processing part 14jfor first and second 
plaintexts respectively. With the difference defined as mentioned above, the following equations hold. 

AL S = L, © L*, 
AR S = R s © R* 

In Fig. 1, since L 15 = R 14 , L* 15 = R* 14 , L 16 = R 15 and L* 16 = R* 15 , the following equations hold 

R 16 = _ L 15 ® f ( R i5' # k is) 

R *16 = L *15 ® f( R *15' k l5) 

and the exclusive OR of both sides of these two equations is obtained as follows: 

AR 16 = AL 15 © f(L 16 , k 15 ) © f(L 16 ©AL l6 , k l5 ). 
The exclusive ORing of its both sides with AR 14 = AL 15 gives the following equation: 

f(L 16 , k is ) © f(L 16 AL 16 , k 15 ) = AR 16 © AR 14 . 
At this time, since L 16 , AL 16 and AR 16 are data available from the ciphertext, they are known information. Hence, if 
the attacker can correctly obtain AR 14 , then only k 15 in the above equation is an unknown constant; the attacker can 
find a correct k 15 without fail by an exhaustive search for k 15 using the known sets of plaintext-ciphertext pair. 
Accordingly, once the subkey k 15 is found out, the remaining eight (i.e., 56-48) bits can easily be obtained even 
by another exhaustive search. 

[0008] On the other hand, generally speaking, it is difficult to obtain AR 14 since this value is an intermediate 
difference value. Then, assume that each round processing is approximated by the following equations with a 
probability p { in the 0-th to the last round but one (i.e.; the 14th): 

AR i+1 = ALj © A{f(AR,)} 
AL K1 = AR j+v 

The point is that, when certain AR, is input to the i-th round processing part, A{f(AR s )} can be predicted with the 
probability Pj regardless of the value of the subkey kj. The reason why such approximations can be made is that, 
the S-boxes, which are nonlinear transformation tables, provide an extremely uneven distribution of output 
differences for same input differences. For example, in the S-box S 0 , an input difference "110100 (2) " is transformed 
to an output difference "0010 (2) " with a probability of 1/4. Then, the approximation for each round is obtained by 
assuming that the S-boxes are each capable of predicting the relationship between the input difference and the 
output difference with a probability P sl and by combining them. Furthermore, the concatenation of such 
approximations in the respective rounds makes it possible to obtain 6R U from AL 0 and AR 0 (AL 0 and AR 0 are data 
derivable from the plaintext, and hence they are known) with a probability p = j-j i3 p i- Incidentally, the higher 

the probability P, the easier the cryptanalysis. After the subkey k 15 is thus obtained, a similar calculation is made 
of the subkey k 14 regarding it as a 15-round DES that is one round fewer than in the above; such operations are 
repeated to obtain the subkeys one by one to l^. 

[0009] It depends on the probability P whether this cryptanalysis succeeds; the higher the probability P, the 
more likely the success. Biham et al. say that DES could be broken by this cryptanalysis if 2 47 sets of chosen 
plaintext-ciphertext pair are available. 

[0010] Linear cryptanalysis aims to obtain subkeys by constructing the following linear approximate equation 
and using the maximum likelihood method with sets of known plaintext-ciphertext pair possessed by an attacker. 

(L 0 , R 0 ) r (L 0 , R 0 ) © (L 16 . R 16 ) r (L 16 , R 16 ) = (k,, k, k 15 ) r (ko, k, k 15 ) 

where T(X) represents the vector that chooses a particular bit position of X, and it is called a mask value. 
[0011] The role of the linear approximation expression is to approximately replace the cryptographic algorithm 
with a linear expression and separate it into a part concerning the set of plaintext-ciphertext pairs and a par} 
concerning the subkeys. That is, in the set of plaintext-ciphertext pairs, the all exclusive Ors between the values 
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at particular bit positions of the plaintext and those of the ciphertext take a fixed value, which indicates that it 
equals the exclusive OR of the values at particular positions of the subkeys. This means that the attacker gets 
information 

(k 0( k n k 15 )r(k 0t k, k 15 ) (one bit) 

from information 

5 (L 0 , r 0 ) r (L 0 . R 0 ) e (L 16 , r 16 ) r (l 16 . r 16 ). 

At this time (L 0 R 0 ) and (L 16 , R 16 ) are the plaintext and the ciphertext, respectively, and hence they are known. 
For this reason, 'if the attacker can correctly obtain r (L 0 , R 0 ), r (L 15 , R 16 ) and r (k 0 , k„ .... k 15 ), then he can obtain 

(ko- k i M r (K>. k i k i 5 ) (° ne bit ). . . . 

[0012] In DES only S-boxes perform nonlinear transformation; nence, it linear representations can De maae Tor 

10 only the S-boxes, the linear approximation expression can easily be constructed. Then, assume that the each S- 
box can be linearly represented with a probability p si . The point here is that when the input mask value for the S- 
box is given, its output mask value can be predicted with the probability p si . The reason for this is that the S-boxes, 
which form' a nonlinear transformation table, provide an extremely uneven distribution of output mask values 
according to the input mask values. For example, in the S-box S 4 , when the input mask value is M 010000 (2)J " an 
output mask value "1111(2;' is predicted with a probability 3/16. By combining the mask values in these S-boxes, a 

15 linear representation of each round with the input and output mask values can be made with a probability p., and 
by concatenating the linear representations of the respective rounds, r (L 0 , R 0 ), r (L 16 , R 16 ) and r (k 0 , k v .... k 15 ) 
are obtained wit the following probability: 

P = 1/2 + 2 15 n r=0 15 |p-1/2|. 
The higher the probability P, the easier the cryptanalysis. 

[0013] According to Matsui, he has succeeded in the analysis of DES by this cryptanalysis using 2 43 sets of 
known plaintext-ciphertext pair. 

[0014] To protect ciphers against the above cryptanalysis techniques, the probability P needs only to be 
reduced to be sufficiently small. A wide variety of proposals have been made to lessen the probability P and the 
easiest way to provide increased security in the conventional cryptosystems is to increase the number of rounds. 
25 For example, Triple-DES with three DESs concatenated is an algorithm that essentially increases the number of 
rounds from 16 to 48, and it provides a far smaller probability P than does DES. 

[0015] However, to increase the number of rounds with a view to avoiding the cryptanalysis techniques 
described above inevitably sacrifices the encryption speed. For example, if the number of rounds is tripled the 
encryption speed is reduced down to 1/3. That is, since the encryption speed of the present DES is about 10 Mbps 

30 on the Pentium PC class, the encryption speed of Triple-DES goes down to around 3.5 Mbps. On the other hand, 
networks and computers are becoming increasingly faster year by year, and hence there is also a demand for daia 
transformation devices that keep up with such speedups. With conventional data transformation devices, it is 
extremely difficult, therefore, to simultaneously meet the requirements of security and speedup. 
[0016] Moreover, according to differential and linear cryptanalysis, the subkey in the final round is obtained 
as described above. Since DES has a defect that the main key can easily be derived from the subkey in the final 

35 round there is proposed in U. S. Patent No. 4,850,019: a method which provides increased security by increasing 
the complexity of the correspondence between the subkeys and the main key in the key scheduling part 20. Its 
fundamental configuration is shown in Fig. 3. In the above-mentioned U. S. patent the subkeys are generated from 
the main key by data diffusion parts (f k ), therefore it is expected that the main key cannot easily be derived from 
the subkeys. 

[0017] Next, a description will be given, with reference to Fig. 3, of the general outlines of a key scheduling 
40 part 20 disclosed in the above-mentioned U. S. patent. An expanded key generation part 21 comprises N/2 (N - 
16, for example) rounds of key processing parts 21 0 to 21 ^ which have key diffusion parts 22 0 to 22 N/2 . v 

respectively. The key processing parts 21. (where j =0, 1 N/2-1) each perform diffusion processing of two 

pieces of 32-bit right and left key data, and interchange them to provide two pieces of right and left key data for 
input to the next-round key processing part 21 ]+1 . The key processing parts 21 j( except the first round, each have 
45 an exclusive OR part 23., which calculates the exclusive OR of the left input key data to the key processing part 21 
-« of the preceding round and the left output key data therefrom and provides the calculated data to the key 
'diffusion part 22, The left input key data of the key processing part 21, is diffused by the output from the exclusive 
OR part 23- in the key diffusion part 22 j( from which the diffused data is output as right key data for input to the 
next round, J and the right input key data of the key processing part 21 { is output as left key data for input to the 
next round. The output from each key diffusion part 22j is bit-split into two subkeys Q 2j and Q 2j+1 (that is, 
50 k.and k i+1 ), which are provided to the corresponding (i = 2^-th round processing part and (i+1 = 2j+1)-th round 
processing part in Fig. 1. 

[0018] The 64-bit main key is split into two pieces of 32-bit right and left key data, then in the first-round 
key processing part 21 0 the left key data is diffused by the right key data in the key diffusion part 22 0 to obtain 
diffused left key data, and this diffused left key data and the right key data are interchanged and provided as 
55 right and left key data next to the key processing part 21 v The outputs from the key diffusion parts 22 0 to 22 N;2 _, of 
the key processing parts 21 0 to 21 N/2 . 1 are applied as subkeys k 0 to k N ., to the corresponding round processing parts. 



14 0 to 14 N . t of the data diffusion part 10 depicted in Fig. 1. 

[0019] In the expanded key generation part 21 of Fig. 3, however, each key diffusion part 22 j is a function 
for generating a pair of key data (subkeys Q 2j( Q^) from two pieces of input data. In the case where when one of 
the two pieces of input data and the output data are known the other input data can be found out, if it is assumed 
that three pairs of subkeys (Q 2i _ 2 and Q2j-i)» ana * ^2j+i)* (^2^1 ana * ^2^3) are known, since the output (subkeys Q 
2j+2 and Q 2j+3 ) from the 0+1)-th key diffusion part 22,^ and the one input data (subkeys Q 2j . 2 and Q 2H ) thereto are 

5 known, the other input data (i.e., the output data from the exclusive OR part 23^ M ) can be obtained; and it is 
possible to derive, from the thus obtained data and the subkeys Q 2j and Q 2j+1 whicn constitute the one input data 
to the exclusive OR part 23 J+V the input data to the preceding (j-th) key diffusion part 22j which constitute the other 
input data to the exclusive OR part 23 J+V that is, the subkeys Q 2j-4 and Q 2 -. 3 which constitute the output from the 
three-round-preceding ((j-2)-th) key diffusion part 22^ 2 . By repeating such operations in a sequential order, it is 

10 possible to determine all subkeys through data analysis only in the key scheduling part 20 without involving data 
analysis in the data diffusion part 10. It has been described just above that when subkeys of three consecutive 
rounds are known, all the subkeys concerned can be obtained, but when subkeys of two consecutive rounds, 
cryptanalysis will succeed even by estimating subkeys of the remaining one round by an exhaustive search. 
[0020] Letting the final stage of the round processing in Fig. 1 be represented by i = N, subkeys 

k N and k^, are easy to obtain by differential and linear cryptanalysis. By analyzing the key data in the expanded 

* 5 key scheduling part 21 as described above using the obtained subkeys, there is the possibility of obtaining all the 
subkeys concerned. 

[0021] A first object of the present invention is to provide a data transformation device in which the round 
function f (the function operation part) is so configured as to simultaneously meet the requirements of security and 
speedup to thereby ensure security and permit fast encryption processing without involving a substantial increases 
20 in the number of rounds, and a recording medium having recorded thereon a program for implementing the data 
transformation. 

[0022] A second object of the present invention is to implement a key scheduling part which does not allow 
ease in determining other subkeys and the master key by a mere analysis of the key scheduling part even if some 
of the subkeys are known. 

25 DISCLOSURE OF THE INVENTION 

[0023] To attain the first object of the present invention, a nonlinear function part, in particular, comprises: 
a first key-dependent linear transformation part which linearly transforms input data of the nonlinear function part 
based on first key data stored in a key storage part; a splitting part which splits the output data of the first key- 
dependent linear transformation part into n pieces of subdata; first nonlinear transformation parts which 
nonlinearly transform these pieces of subdata, respectively; a second key-dependent linear transformation part 
which linearly transforms respective pieces of output subdata of the first nonlinear transformation parts based on 
second key data; second nonlinear transformation parts which nonlinearly transform respective pieces of output 
subdata of the second key-dependent linear transformation part; and a combining part which combines output 
subblocks of the second nonlinear transformation part into output data of the nonlinear function part; and the 
second key-dependent linear transformation part contains a linear transformation part which performs exclusive 
ORing of its inputs which is defined by an n x n matrix. 
[0024] According to the present invention, it is guaranteed that when the differential probability/liner 

probability in the first and second nonlinear transformation parts is p (< 1), the differential probability/liner 
probability of approximating each round is p s < p 2 (when the input difference to the function f (the nonlinear 
function part) is not 0 in the case of differential cryptanalysis, and when the output mask value from the function 
40 is not 0 in the case of liner cryptanalysis). And when the function f is objective, if the number of rounds of the 
cryptographic device is set at 3r, then the probability of the cipher becomes P < p s 2r < p 4r . Furthermore, if the 
second key-dependent linear transformation part in the case of n = 4, in particular, has a configuration that 
exclusive ORs combination of three of four pieces of subdata with one of four pieces of key data, the probability 
of approximating each round is p f < p 4 and the probability of the cipher is P < Pj 2r < p 8r . If the second key-dependent 
linear transformation part in the case of n = 8 has a configuration that exclusive ORs combination of six or five of 
eight pieces of subdata with one of eight pieces of key data, the probability of approximating each round is 

P, < p 5 and the probability of the cipher is P < Pj 2 ' < p 10r . 

[0025] Moreover, the first and second nonlinear transformation parts are arranged so that their processing can 
be performed completely in parallel —this contributes to speedup. 

[0026] It is possible, therefore, to construct a fast and source nonlinear function against differential and 
linear cryptanalysis, and to permit the implementation of a data transformation device which copes with both 
security and speedup. 

[0027] To attain the second object of the present invention, the key scheduling part is provided with: a G- 
function parts which perform the same function as that of the key diffusion part (the function f k ), L 
55 components which are output from the G-function parts being once stored in a storage part; and an H-function part 
which reads out a required number of L components from the storage part and generates subkeys by extracting the 
respective L components as uniformly as possible. Furthermore, in the H-function part partial information, which is 
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used as subkeys, is extracted from the L components which are outputs from the G-function parts, then the 
extracted information is stored in a storage part, and the subkeys are generated by extracting the partial 
information from the required number of L components. 

BRIEF DESCRIPTION OF THE DRAWINGS 

5 [0028] 

Fig. 1 is a diagram depicting the functional configuration of a conventional DES cryptographic device. 

Fig. 2 is a diagrsm depicting a concrete functional configuration of a function operation part 12 in Fry. 1. 

10 Fig. 3 is a diagram depicting an example of an expanded key generation part 21 in Fig. 2. 

Fig. 4 is a diagram illustrating the functional configuration of the first embodiment of the present invention. 

Fig. 5 is a diagram showing in detail an example of the functional configuration of a nonlinear function part 
15 304 in the first embodiment. 

Fig. 6 is a diagram showing a basic configuration of a nonlinear function part for determining an optimal linear 
transformation part in Fig. 5. 

Fig. 7 is a diagram depicting a concrete example of the second key-dependent linear transformation part 347 in 
20 Fig. 5. 

Fig. 8A is a diagram depicting an equivalent functional configuration of a nonlinear transformation part 343 in 
the second embodiment. 

Fig. 8B is a diagram depicting an equivalent functional configuration of a nonlinear transformation part 344 in 
25 the second embodiment. 

Fig. 8C is a diagram depicting an equivalent functional configuration of a nonlinear transformation part 345 in 
the second embodiment. 

30 Fig. 8D is a diagram depicting an equivalent functional configuration of a nonlinear transformation part 346 in 

the second embodiment. 

Fig. 9 is a diagram showing the functional configuration of a second key-dependent linear transformation part 
347 in the second embodiment. 

35 Fig. 10 is a diagram showing the functional configuration of a nonlinear function part 343 in the third 

embodiment. 

Fig. 1 1 is a flowchart showing the procedure for implementing a data transformation by a computer. 
Fig. 12 is a flowchart showing in detail the procedure of step S3 in Fig. 11. 

40 

Fig. 1 3 is a diagram depicting the functional configuration of the fourth embodiment of the present invention. 

Fig. 14 is a diagram depicting the functional configuration of a nonlinear function part 304 in fig. 13. 

45 Fig. 15A is a diagram depicting a linear transformation part of a limited structure intended to reduce the 

computational complexity involved in search. 

Fig. 15B is a diagram depicting configuration of one transformation box in Fig. 15A. 

Fig. 16 is a diagram depicting an example of the configuration of a linear transformation part 344A determined 
50 by the search algorithm. 

Fig. 17 is a diagram depicting an example of the functional configuration of a second key-dependent linear 
transformation part 344 in Fig. 14 in the fourth embodiment. 

Fig. 18 is a diagram depicting another example of the functional configuration of a second key-dependent linear 
55 transformation part 344 in Fig. 14 in the fourth embodiment. 



Fig. 19 is a diagram depicting still another example of the functional configuration of a second key-dependent 
linear transformation part 344 in Fig. 14 in the fourth embodiment. 

Fig. 20A is a diagram illustrating the functional configuration of a nonlinear transformation part 34 0 * in the 
fifth embodiment. 

Fig. 20B is a diagram illustrating the functional configuration of a nonlinear transformation part 343/. 

Fig. 20C is a diagram illustrating the functional configuration of a nonlinear transformation part 343/. 

Fig. 21 is a diagram showing the functional configuration of a second key-dependent linear transformation part 
344 in the fifth embodiment. 

Fig. 22 is a diagram showing a configuration for executing a data processing program recorded on a recording 
medium. 

Fig. 23A is a block diagram depicting the basic functional configuration of a key generation part according to 
the present invention. 

Fig. 23B is a block diagram depicting the basic functional configuration of another key generation part 
according to the present invention. 

Fig. 24 is a block diagram depicting an example of the functional configuration of an intermediate key 
generation part 230 in Fig. 23A or 23B. 

Fig. 25 is a block diagram depicting the functional configuration of a G-functional part in Fig. 24 when the 
present invention is applied to a key scheduling part in Fig. 3. 

Fig. 26 is a block diagram depicting the functional configuration of a subkey generation part 240 in Fig. 23A 
when the present invention is applied to a key scheduling part in Fig. 3. 

Fig. 27 is a block diagram depicting an example of the functional configuration of a subkey generation part 250 
in Fig. 23B when the present invention is applied to a key scheduling part in Fig. 3 (In this embodiment the 
subkey generation part contains an H-function part equipped with a bit extraction function). 

Fig. 28 is a block diagram depicting the functional configuration of the G-function part 22 designed for the 
application of the present invention to a Feistel cipher which uses 128 bits as one block. 



BEST MODE FOR CARRYING OUT THE INVENTION 
First Embodiment 

[0029] An embodiment of the present invention will be described below with reference to the accompanying 
drawings. 

[0030] Fig. 4 illustrates the functional configuration for an encryption process in the data transformation 

device according to an embodiment of the present invention. The data transformation device comprises a data 
diffusion part 10 and a key scheduling part 20. In the data transformation device according to the present invention, 
too, the data diffusion part 10 comprises N rounds of cascade-connected round processing parts 38 0 to 38^ which 
sequentially perform round processing of left and right pieces of data after input data is split into left and right 

pieces L 0 , R 0 ; each round processing part 38j (where i = 0, 1 N-1) is made up of a nonlinear function part 

304 corresponding to the function operation part 12 in Fig. 1, a linear operation part 305 corresponding to the XOR 
circuit 13 in Fig. 1 and a swapping part 306. 

[0031] Input data M, which corresponds to a plaintext, is entered into the cryptographic device via an input 
part 301. The key scheduling part 20 comprises a key input part 320, a expanded key generation part 321 and a 
key storage part 322. Based on input data (a master key K) from the key input part 320, the expanded key 
generation part 321 generates plural pieces of key data (subkeys) 

{fk; kQ 0 , k 01 ; k 10 , k 1v k 12 ; k (N . 1)0 , k^..,^, k (ISM)2 ; ek} 

which are stored in the key storage part 322. The input data M is transformed in a key-dependent initial 
transformation part 302 with the key data fk stored in the key storage part 322, thereafter being split in an 
initial splitting part 303 into two pieces of left and right block data L 0 and R 0 . For example, 64-bit data is split into 
two pieces of 32-bit block data L 0 and R 0 . The key-dependent initial transformation part 302 performs a linear 
transformation such as exclusive ORing of the key data fk and the input data M or bit rotation of the input data M 



by the key data fk, or nonlinear transformation by a combination of multiplications. 

[0032] The right block data Rq is provided to the nonlinear function part 304 which is characteristic of the 
present invention, together with the key data ko 0 , k^ and k 02 stored in the key storage part 322, and in the 
nonlinear function part 304 the right block data is nonlinearly transformed to data Y 0 . The data Y 0 and the left 
block data L 0 are transformed to data L 0 * through a linear operation in the liner operation part 305. The data L 0 * 
and the data R 0 are swapped in the swapping part 306 to provide L^Rq, R^Lq*; and these pieces of data L, and 

5 R 1 are input to the next first round processing part 38 v 

[0033] Thereafter, in an i-th round processing parts 38j (where i = 0, 1, .... N-1) the same processing as 
mentioned above is repeated for two pieces of input block data L, and R,. That is, the right block data R t is input 
to the nonlinear function part 304 together with the key data k i0 , k n and k j5 , and in the nonlinear function part 304 
it is nonlinearly transformed to data Y,. The data Y, and the data l^are transformed to data L; by a linear 

10 operation in the linear operation part 305. The data L* and the data Rj are swapped in data position in the swapping 
part 306, that is, L i+1 <-R,, R i+1 <-L,*. The linear operation part 305 is to perform, for instance, an exclusive OR 
operation. 

[0034] Letting N represent the repeat count (the number of rounds) suitable to provide security of a data 
transformation device for encryption, two pieces of left and right data L N and R N are obtained as the result of such 
repeated processing by the round processing parts 38 0 to 38 N . V These pieces of data L N and R N are combined into 
15 a single piece of block data in a final combining part 307; for example, the two pieces of 32-bit data L N and R N are 
combined to 64-bit data. Then the thus combined data is transformed in a final linear transformation part 308 using 
the key data ek stored in the key storage part 322, and output data C is provided as a ciphertext from an output 
part 309. 

[0035] In decryption, the plaintext M can be derived from the ciphertext C by reversing the encryption 

20 procedure. In particular, when the key-dependent final transformation part 308 is one that performs a 
transformation inverse to that of the key-dependent initial transformation part 302, the decryption can be done by 
inputting ciphertext data in place of the input data in Fig. 4 and then inputting the key data in a sequential order 
reverse to that in Fig. 4, that is, ek, k (N . 1)0 , k^ N . 1)v k (r g_ 1)2 , .... k 10 , k 1v k 12 , k 00 , k 01 , k 02 , fk. 

[0036] Next, a detailed description will be given of the internal configuration of the nonlinear function part 
304, Fig. 5 is a diagrammatic showing of the internal functional configuration of the nonlinear function part 304. 

25 [0037] The input block data R s to the i-th round processing part 38 , constitutes input data to the nonlinear 
function part 304, together with the' key data k i0 , k iV k i2 stored in the key storage part 322. The block data R, is 
subjected to, for example, exclusive ORing with the key data k j0 in a first key-dependent linear transformation 
part 341, by which it is linearly transformed to data R* = Rj©k j0 . Next, the thus transformed data R * is split into 
four pieces of, for instance, 8-bit data in 0 , in v in 2 and in 3 in a splitting part 342. The four pieces of data ir. c , in., 

30 in 2 and in 3 are nonlinearly transformed to four pieces of data mid 00 , mid ov mid 02 and mid 03 in nonlinear 
transformation parts 343 0 , 343 v 343 2 and 343 3 , respectively, from which they are input to a second key-dependent 
liner transformation part 344. 

[0038] The second key-dependent linear transformation part 344 performs linear transformation (XORing) 
among the pieces of input data mid 00 , mid 01 , mid 02 and mid 03 from four mutes to provide new data of four routes, 
and further performs linear transformation (XORing) among these pieces of data of the four routes with four pieces 
of the key data k n to provide output data mid 10 , mid 1v mid 12 and mid 13 of the four routes. The four pieces of data 
are input to nonlinear transformation parts 345 9 , 345 v 345 2 and 345 3 , wherein they are transformed to data out 0 , 
out v out 2 and out 3 , respectively. These four pieces of data are combined into data Y* in a combining part 346; 
furthermore, in a third key-dependent liner transformation part 347 the data Y* undergoes a linear operation with 
the key data k i2 to generate output data Y,. 

40 [0039] The above-mentioned second key-dependent linear transformation part 344 is configured to perform an 
exclusive OR operation of data between data processing routes 30 0 , 30 v 30 2 and 30 3 provided corresponding to 
the pieces of data mid 00 , mid ov mid 02 and mid 03 , respectively, through the use of an algorithm according to the 
present invention, thereby providing increased security without increasing the number of rounds of the data 
transformation device depicted in Fig. 4. The security of he data transformation device of Fig. 4 against 
differential cryptanalysis and linear cryptanalysis is dependent on the configuration of the nonlinear function part 

45 304 of each round; in particular, when the nonlinear function part 304 in Fig. 5 has such a basic configuration as 
shown in Fig. 6, the security depends on a first nonlinear transformation part 343 composed of n nonlinear 
transformation parts (S-boxes) with m-bit input data, a linear transformation part 344A for linearly transforming 
the n outputs and a second nonlinear transformation part 345 composed of n nonlinear transformation parts (S- 
boxes) for nonlinearly transforming the n m-bit outputs, respectively. It is particularly important how an optimal 

50 linear transformation part 344A is constructed which is secure against differential and linear cryptanalysis. 
According to the present invention, the linear transformation part 344A is represented as an n * n matrix P ever {0, 
1}, and the optimal linear transformation part 344A is constructed by determining elements of the matrix P in such a 
manner as to minimize the maximum differential and liner characteristic probabilities p, q. In this instance, a 
linear transformation part using the subkey k M , which is contained in the second key-dependent liner transformation 
part 344, is added as a key-dependent transformation part 344B to the linear transformation part 344A determined 

55 by the matrix P as depicted in Fig. 7. 

[0040] Incidentally, what is intended to mean by the word "optimal" is to provide the highest resistance to, 
differential and linear cryptanalysis in the liner transformation part 344A of the above configuration, but it does 



not necessarily mean the optimum for other criteria, for example, an avalanche property. Empirically speaking, 
however, attacks other than differential and linear cryptanalysis can easily be avoided by only increasing the 
number of rounds, while it is not certain whether only some increase in the number of rounds serves to prevent 
differential and linear cryptanalysis unless a careful study is made of the round function used. In view of this, 
the present invention attaches the most importance to the resistance of the round function to differential and liner 
cryptanalysis and constructs the optimal linear transformation part 344A accordingly. 

[0041] According to the present invention, the linear transformation part 344A in Fig. 6 is represented as 
the n x n matrix P over {0. 1} as referred to above. This means that the matrix P performs a linear transformation 
in units of m bits, and that the linear transformation part 344A can be formed by only exclusive ORs. That is, this 
transformation can be expressed by the following equation: 



10 



15 



(i) 



In particular, when m = 8 ( the linear transformation is made in units of bytes, and can be efficiently implemented 
on any platforms where the word width is 8-bit or more. 

[0042] As a concrete example in the case of n = 4, a 4 * 4 matrix P E will be described which is expressed by 
the following equation: 
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The round function using the matrix P E has the following features. Let it be assumed, however, that the S-box is 
bijective. z' c , z' v z' 2 and z* 3 defined by the above matrix represent the following operations, respectively. 

0-z 0 @rz 1 ©1-z 2 ©1-z 3 = z^z^Zg (3-1) 



z\ = 1 •z 0 <$0'Zi® J \'Z 2 ®'\ -Z3 = ZqQz^Zs (3-2) 
z' 2 = 1*^01 ^,01 -z^O-Zg = ZqQz^z^ (3-3) 
z' 3 = 1^01 ^©l-z^VZg = ZoSz^z^Zj (3-4) 



[0043] The resistance of the round function to differential and liner cryptanalysis can be determined by the 
smallest ;numbers n d , n 1 of active s-boxes, and these values are those determined at the time of determining the 
35 matrix P (see Appendix). In differential cryptanalysis an s-box whose input difference value Ax is nonzero is called 
an active s-box, and in linear cryptanalysis an s-box whose output mask value Ty is nonzero is called an active 
box. 

[0044] In general, when given a certain matrix P, there exist a plurality of constructions of the liner 

transformation part 344A corresponding thereto. This is because the matrix P represents only the relationship 
between input and output data of the liner transformation part 344A and does not define its concrete construction. 

40 That is, if it is common in the matrix P which represents the relationship between their input and output data, 
liner transformation parts can be considered to have the same characteristic regardless of their individual 
constructions. Accordingly, in the following description, the matrix P is determined first which provides high 
invulnerability against differential and linear cryptanalysis and good avalanche effect, followed by determining the 
construction of the liner transformation part 344A. This method is more effective in finding out a linear 
transformation part 344A of an optimal characteristic than a method of checking individual constructions of linear 

45 transformation parts to see if they have the optical characteristic. 

[0045] The elements of the n * n matrix P are determined by the following search algorithm taking the 
differential characteristic into account. 

Step 1: Set a security threshold T (where T is an integer such that 2 < T < n). 

50 

Step 2: Prepare a set C of column vectors whose Hamming weights are equal to or larger than T-1. More 
specifically, prepare n or more n-dimensional column vectors which have T-1 or more elements "1." 

Step 3: Select a subset P c of n column vectors from the set C. Repeat the following steps until all subsets 
have been checked. 

55 

Step 3-1: Compute n d forte subset P c of n column vectors. This is represented as n d (P c ). 



Step 3-2: If n d (P c ) > T, ten accept a matrix P c consisting of the n column vectors as a candidate matrix. 

Step 4: Output matrices P and a value n d (P) that yields the maximum value of n d among all candidate matrices. 



10 



15 



20 



[0046] If the candidate matrix by the above search algorithm is adopted, then it is guaranteed that the 
value n d is equal to or larger than T. The matrix P that maximizes n d can efficiently be found by incrementing T by 
one in the order T = n, n-1 3, 2 upon each execution of the above search algorithm. 

[0047] In the above search algorithm, if it is possible to obtain relatively satisfactory invulnerability 

against differential and linear cryptanalysis, then a matrix with n d (P c ) £ T obtained by performing steps up to 3-2 
may be used as the desired matrix P. Alternatively, the matrix Pc composed of n vectors whose Hamming weights 
are equal to or larger tan T-1 selected in step 2 after step 1 may be used as the matrix P. 

[0048] The input mask values of the linear transformation part 344A can be represented by exclusive ORs of 
its output mask values, and hence they can be expressed by a certain matrix as is the case with differential 
characteristic. As the result of our checking the relationship between the matrix for differential characteristic 
and the matrix for linear expression in several linear transformation parts of different constructions, the following 
two conjectures were made. 

[0049] Conjecture 1: Assume that an n x n matrix P over {0, 1} is given for the linear transformation part 
344A. At this time, the relationship between input and output difference values Az and Az' of the linear 
transformation part 344A (a difference path) is given by the matrix P f and the relationship between input and output 
mask values Tz and Tz' (a mask value path) is given by a transposed matrix T P. That is, 

Az' = PAz (4) 

rz = T Prz\ (5) 



25 



[0050] Conjecture 2: The minimum number n d of active s-boxes in the difference value path using the matrix 
P is equal to the minimum number n n of active s-boxes in the mask value path using the transposed matrix T P. 
[0051] Because of Conjecture 2, n., is also equal to or larger than T when the candidate matrices by the 
search algorithm are adopted. For example, in the case of the afore-mentioned matrix P E , the matrix P E for the 
difference value path and the matrix T P E for the mask value path bear the following relationship. 
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(6) 



It can be proven that n d = 3 and n n = 3 for the two matrices (see Appendix). 

[0052] The following is an algorithm for determining the construction of the linear transformation part 344A 
when given the matrix P. Here, the following conditions are to be met. 

(1) Minimization of the number of exclusive ORs (XORs), or 

(2) Repeated appearance of the similar subconstruction. 



45 
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Step 1: In the matrix P, choose two rows and XOR the one row (rwo a) with the other row (row b) (hereinafter 
referred to as a primitive operation). 

Step 2: Transform the matrix P into a unit matrix I by repeating the primitive operation, count the number of 
times the primitive operation was performed, and find a matrix transformation procedure that yields the 
minimum number of primitive operations. 

Step 3: To construct the linear transformation part 344A, lines A and B, which correspond to the rows a and b 
chosen in step 2, are XORed in the order reverse to the transformation procedure. 



55 



[0053] In Fig. 7 there is depicted a concrete example of the second key-dependent linear transformation part 
344 which has the linear transformation part 344A determined as described above. In the linear transformation part 



344A, the four pieces of data mid 



mid 



ov 



mid 02 and mid 03 are input to the processing routes 30 0 to 30 3 , 



respectively, in the processing route 30 0 , mid 00 and mid 01 are XORed by an XOR circuit 31 0 ; in the processing 
route 30 2 , mid 02 and the output from the XOR circuit 31 0 are XORed by an XOR circuit 31 2 ; and the output from 
the XOR circuit 31 2 is XORed with mid 01 by an XOR circuit 31 v 

[0054] In the processing route 30 3 , the output from the XOR circuit 31 0 and the data mid 03 are XORed by an 
XOR circuit 31 3 ; in the processing route 30 v the outputs from the XOR circuits 31, and 31 3 are XORed by an XOR 
circuit 32,; and in the processing route 30 0 , the outputs from the XOR circuit 32 1 and 31 0 are XORed by an XOR 
circuit 32 0 . 

[0055] The outputs from the XOR circuits 32 0 , 32 v 31 2 and 31 3 and subkey data k jl0 , kj^, k j12 and k j13 are 
XORed by XOR circuits 35 0 to 35 3 of the key-dependent transformation part 344B ( respectively, from which are 
provided mid 10 , mid 1v midland mid 13 . In other words, the pieces of data mid 00 , mid ov mid 02 and mid 03 are 
associated with one another and then undergo liner transformation dependent on the 8-bit subkey data k i10 , 
10 k m , k j12 and k j13 , respectively. In short, logical operations given by the following logical expression are performed. 

mid 10 = mid 00 @mid 02 ©mid 03 @k j10 (7- 1 ) 

mid n = mid 01 ©mid 02 @mid 03 @k m (7-2) 

mid 12 = mid oo @mid o1 ©mid O2 0k j12 (7-3) 

mid 13 = mid 00 ©mid 01 ©mid 03 ©k j13 (7-4) 



[0056] Incidentally, the subkey k n is composed of four pieces of data k j10 , k jlv k jl2 and k M3 . 

[0057] As depicted in Fig, 5, these pieces of data mid 10 , mid 1v mid 12 and mid 13 are then nonlinearly 

transformed in the nonlinear transformation parts 345 0 , 345 v 345 2 and 345 3 into the data out 0 , out v out 2 and out 3 , 

20 respectively, which are combined into the single piece of data Y* in the combining part 346. Finally, the data Y* is 
linearly transformed into the data Y, by, for example, a k l2 -bit left rotation in the third key-dependent linear 
transformation part 347 using the key data k^, thereby generating the output data Y,from the nonlinear function 
part 304. The nonlinear transformation parts 343 0 to 343 3 and 345 0 to 345 3 function just like S-boxes for DES 
cipher, and they are constructed by, for example, ROM, which receives input data as an address to read out 

25 therefrom the corresponding data. 

[0058] Since the four nonlinear transformation parts 343 0 to 343 3 are arranged in parallel and their 

transformation processes are not associated with one another, hence they can be executed in parallel. The same 
goes for the nonlinear transformation parts 345 0 to 345 3 . Thus, the each linear transformation part can be executed 
in one step for each group (a total of two steps in the nonlinear function part 304). Letting p represent 
the differential/liner probability of the nonlinear transformation parts 343 0 to 343 3 and 345 0 to 345 3l the nonlinear 

30 function part 304 provides a differential/linear probability p 4 as a whole when the second key-dependent linear 
transformation 344 has such a construction as shown in Fig. 7. Accordingly, when the number of rounds of the 
entire data transformation device is 3r, an approximate representation is obtained with a probability P < p 8r ; for 

example, when r =4 (12 rounds), P < p 32 . In the case of DES cipher, this corresponds to 48 or more rounds, 

35 ensuring sufficiently secure against differential cryptanalysis and linear cryptanalysis. 

[0059] Incidentally, the pieces of key data fk, k^, k ov k 02 , k 10 , k 12 k (fsM)1 , k (N _ 1)2 , ek are data stored in the 

key storage part 322 in Fig. 4 after being transformed in the expanded key generation part 321 from the master key 
Key input via the key input part 320 of the key scheduling part 20. The generation of key data in the expanded key 
generation part 321 may be the same as in the expanded key generation part 21 for DES cipher in Fig. 1, or as in 
the expanded key generation part 21 by Miyaguchi et al. depicted in Fig. 3. 

40 [0060] The initial key-dependent transformation 302 and the final key-dependent transformation part 308 
shown in Fig. 4 and the key-dependent linear transformation parts 341, 344 and 347 in each nonlinear function part 
304 shown in Fig. 5 are linear transformation parts which depend on keys; therefore, the device of this embodiment 
is a cryptographic device which is sufficiently secure against both of differential cryptanalysis and linear 
cryptanalysis and hence attaches primary importance to security. 

45 [0061] The present invention is not limited specifically to this example; for example, if speedup is demanded, 
it is feasible to omit or modify any one of the initial key-dependent transformation part 302, the final key- 
dependent transformation part 308 and the key-dependent liner transformation parts 341, 344 and 347 to a key- 
independent transformation part. In this case, the encryption speed can be increased without significantly 
diminishing the security against differential cryptanalysis and the liner cryptanalysis. 

50 Sec ond E m bodiment 

[0062] A description will be given of another embodiment of the nonlinear function part 304 of Fig. 5 in a data 
transformation device of the same construction as that of the first embodiment depicted in Fig. 4. In this 
embodiment the nonlinear transformation parts 343 0 , 343 v 343 2 and 343 3 in Fig. 5 are replaced with nonlinear 
transformation parts 343 0 ' to 343 3 which nonlinearly transform, for example, 8-bit inputs in 0 to in 3 into 32-bit 
55 expanded data MID 00 , MID 01 , MID 02 and MID 03 as equivalently shown in Figs. 8A to 8D, respectively; furthermore, 
the key-dependent linear transformation part 344 has such a construction as depicted in Fig. 9. 



[0063] As is the case with the Fig. 5, the data Rj is input to the nonlinear function part 304 together with the- 
key data k i0 , k n and k i2 . The data R, is linearly transformed into data R* = Rj©k (0 , for example, by being XORed with 
the key data k j0 in the first key-dependent linear transformation part 341. Next, the data R* is split into four 
pieces of data'in 0 , in v in 2 and in 3 in the splitting part 342. The four pieces of data in 0 , in v in 2 and in 3 are 
nonlinearly transformed into data MID 00 , MID 01 , MID 02 and MID 03 in the nonlinear transformation parts 343 0 \ 343;, 
343 2 * and 343 3 depicted in Figs. 8A to 8D, respectively. In the first embodiment the nonlinear transformation part 

5 343 0 outputs the in-bit data mid 00 for the m-bit input in 0 , whereas in this embodiment the nonlinear transformation 
part 343 0 ' has an S-box that outputs the same m-bit data mid 00 as high-order m bits as does the nonlinear 
transformation part 343 0 in the first embodiment of Fig. 5 and outputs fixed data "00 ... 0 (2l " as low-order m bits; 
further, the nonlinear transformation part is designed to output the high-order m-bit data mid 00 to three routes by 
duplicating and output the m-bit data "00 ... 0 (2) ." That is, the nonlinear transformation part 343 0 ' is means for 

10 transforming the m-bit data in 0 to 4m-bit data 

MlD 00 = [mid 00 , 00 ... 0 (2) , mid 00 , mid 00 ] (8-1) 
Similarly, the nonlinear transformation parts 343;, 343 2 and 343 3 ' are means for transforming the input data in1, 
in2 and in3 to 

_ MID 01 = [00 ... 0 (2) , mid ov mid ov mid 01 ] (8-2) 

MID 02 = [mid 02 , mid 02 , mid 02 , 00 ... 0 (2) ] (8-3) 
MID 03 = [mid 03 , mid 03 , 00 ... 0 (2)( mid 03 ] (8-4) 



The data M I D 00 expressed by Equation (8-1) can be determined by presetting as MID 00 the entire data which is 
provided in the four output routes of the linear transformation part 344A when the pieces of data mid 01 , mid 02 and 
mid 03 except mid 00 are each set as "00 ... 0 (2) ." Similarly, the data MID 01 , MID 02 and MID 03 expressed by Equations 
(8-2), (8-3) and (8-4) can also be easily determined. These nonlinear transformation parts 343 0 ' to 343 3 may be 
constructed in memory as transformation tables from which to read out the data MID 00 , MID 01 , MID 02 and MID 03 by 
using the data in 0 , in v in 2 and in 3 as addresses. 

[0064] Then, these pieces of data MID 00 to MID 03 are input to the second key-dependent linear transformation 
part 344 with the key data k n as depicted in Fig. 9. MID 00 and MID 01 are XORed by an XOR circuit 41; MID-,- and 
MID 03 are XORed by an XOR circuit 42; the outputs from the XOR circuits 41 and 42 are XORed by an XOR circuit 
43; and the output from the XOR circuit 43 and the key data k n are XORed by an XOR circuit 44. The output MIDI 
from the XOR circuit 44 is split into m-bit outputs mid 10 , mid 1v mid 12 and mid 13 . After all, the second key-dependent 
linear transformation part 344 linearly transforms the input data by the following operation: 

MID, = MID 00 ©MID 01 ©MID 02 ©MID 03 ©k jr (9) 

[0065] The components of the output MID 1 = [mid 10 , mid 11( mid 12 , mid 13 ] by this linear transformation 

operation are expressed by the following equations, respectively: 

mid 10 = mid 00 ©mid 02 ©mid 03 ©k j10 (10-1) 

mid in = mid 01 ©mid 02 ©mid 03 ©k m (10-2) 

mid 12 = mid 00 ©mid 01 ©mid 02 ©k j12 (10-3) 

mid 13 =mid 00 @mid 01 @mid 03 ©k j13 (10-4) 



40 These linear transformation operations we equivalent to those in Fig. 7 given by Equations (7-1) to (7-4). In this 
way, the same pieces of data mid 10 , mid 1v midland mid 13 as those in the first embodiment are generated. 
Incidentally, k n is composed of four pieces of data k j10 , k m , k i12 and k i13 . 

[0066] Then, the four pieces of data mid 10 , mid n1 , mid 12 and mid 13 are nonlinearly transformed into data out 0 , 
out v out 2 and out 3 in the nonlinear transformation parts 345 0 , 345 v 345 2 and 345 3 , respectively, as in the Fig. 5, 
and in the combining part 346 the four pieces of data out 0 , out,, out 2 and out 3 are combined into the single piece cf 
45 data Y*. Finally, the data Y* is linearly transformed into the data Y, by, for example, a k i2 -bit left rotation in the 
third key-dependent linear transformation part 347 using the key data k j2 , thereby generating the output 
data Yj from the nonlinear function part 304. 

[0067] In the second embodiment depicted in Figs. 8A to 8D and 9, it is also possible to form, as is the case 
with the first embodiment, the nonlinear transformation parts 343 0 to 343 3 of Figs. 8A to 8D by only S-boxes which 
50 output 8-bit data mid 00 to mid 03 , respectively, and to provide the wirings shown in Figs. 8A to 8D and a register 
which outputs 8-bit data "00 ... 0" in the key-dependent linear transformation part 344 to generate therein the data 
MID 00 to MID 03 . 

[0068] The second key-dependent linear transformation part 344 in this embodiment implements linear 

transformation equivalent to that shown in Fig. 7 through the use of four XOR circuits as depicted in Fig. 9 (in 
Fig. 7 ten XORs), and hence permits faster transformation than in the first embodiment. 
55 [0069] Furthermore, as is the case with the first embodiment, the four nonlinear transformation parts 343 0 to 
343 3 and 345 0 to 345 3 are arranged in parallel and their nonlinear transformation processes are not associated with 



one another, and hence they can be executed in parallel. Besides, letting p represent the differential/liner 
probability of the nonlinear transformation parts 343 0 to 343 3 and 345 0 to 345 3 , the differential/linear probability 
of the nonlinear function 304 becomes p 4 as a whole. 

Thi rd Embodiment 

[0070] A description will be given of another embodiment of the nonlinear function part 304 of still another 
functional configuration in the data transformation device that has the functional configuation depicted in Fig. 4 
as in the first embodiment. 

[0071] As depicted in fig. 5, for example, a 32-bit data R t is input to the nonlinear function part 304 together 
with the key data k i0 , k n and k i2 stored in the key storage part 322. The data R n is linearly transformed into data 
R* = Ri<Bk j0 by, for example, XORing with the key data k j0 in the first key-dependent linear transformation part 
341. Then the data R* is split into four pieces of, for example, 8-bit data in 0 , in v ir^ and in 3 in the splitting part 

342. 

[0072] In the nonlinear transformation part 343 0 , as shown in Fig. 10, for instance, the data in 0 is further 
split into two, for example, 4-bit subblocks in 00 and in 01 ; the subblock in^ is transformed to data mid 000 in a sub- 
nonlinear transformation part 51 and, at the same time, it is XORed with the data in 01 by an XOR circuit 52, whose 
output m^Sin^ is transformed into data mid 001 in a sub-nonlinear transformation part 53. Thereafter, these outputs 
mid 000 and mid 001 are XORed by an XOR circuit 54, and its output and the data mid 001 are combined into the data 
mid^Q. That is, the nonlinear transformation part 343 0 splits the input in 0 into two subblocks, then performs linear 
transformation and nonlinear transformation of the two subblocks, and combines the two resulting output subblocks 
into the output from the nonlinear transformation part. Similarly, the other remaining pieces of data in v in 2 and 
in 3 are also transformed into the data mid 01 , mid 02 and mid 03 in the nonlinear transformation parts 343 v 343 2 and 
343 3 each having the functional configuration shown in Fig. 10 which comprises two nonlinear transformation parts 
and two XOR circuits. 

[0073] These pieces of transformed data mid 00 , mid 01 , mid 02 and mid 03 input to the second key-dependent 
linear transformation part 344 depicted in Fig. 7 which uses the key data k jV The transformation part 344 performs 
the aforementioned operations of Equations (7-1) to (7-4). 

[0074] Then, the data mid 10 is input to the nonlinear transformation part 345 0 of the same functional 

consfiguration as shown in Fig. 10, wherein it is further split into two subblocks mid 100 and mid 101 . The subblock mid 
- 00 is transformed into data out 00 in the sub-nonlinear transformation part 51. The subblocks mid 100 and mid 101 are 
XORed by the XOR circuit 52, and its output mid 100 @mid 101 is transformed into data out 01 in the nonlinear 
transformation part 53. Then, the two pieces of data out 00 and out 01 are XORed by the XOR circuit 54, and its 
output out oc ©out 01 and the data out 01 are combined into out 0 . Similarly, the other remaining pieces of data mid n , 
mid. 2 and mid 13 are also transformed into the data out v out 2 and out 3 in the nonlinear transformation parts 345 v 
345, and 345 3 each having the functional configuration shown in Fig. 10 which comprises the two sub-nonlinear 
transformation parts 51, 53 and the two XOR circuits 52, 54. 

[0075] The four pieces of thus nonlinearly transformed data out 0 , out v out 2 and out 3 are combined into a 
single piece of data Y* in the combining part 346. Finally, the data Y* is linearly transformed into data Y j( for 
example, by a k i2 -bit left rotation in the third key-dependent linear transformation part 347 using the key data k j2 , 
by which the output data Y ; from the nonlinear function part 304 is generated. 

[0076] As described above, according to this embodiment, in each of the nonlinear transformation parts 
34 3 0 to 343 3 and 345 0 to 345 3 the input data is split to two pieces of data, which are nonlinearly transformed in 
the two sub-nonlinear transformation parts (51 and 53 in Fig. 10). Hence, it is possible to input to the nonlinear 
transformation parts 343 0 to 343 3 and 345 0 to 345 3 data of a bit length twice larger than that of data that the 16 
sub-nonlinear transformation parts can handle. For example, assuming that the sub-nonlinear transformation parts 
51 and 53 are 8-bit S-boxes, each input data to the nonlinear transformation parts 343 0 to 343 3 and 345 0 to 
345 3 is 16 bits length and the input data to the nonlinear function part 304 is 64 bits length. As a result, the 
block length in the data transformation device of Fig. 4 can be made 128 bits length. 

[0077] The sub-nonlinear transformation parts 51 and 53 are arranged in parallel in groups of eight and their 
nonlinear transformation processes are not associated with one another, and hence they can be executed in 
parallel. Further, letting p represent the differential/linear probabilities of the sub-nonlinear transformation 
parts 51 and 53, the nonlinear function part 304 provides a differential/liner probability p 4 as a whole. 
[0078] In the above, the first key-dependent linear transformation part 341. the second key-dependent 
transformation part 344 and the third key-dependent transformation part 347 need not always be key-dependent, 
i.e., the liner transformation may be performed in subdata. 

[0079] While in the above the data processing has been described to be performed using a hardware 
structure, it may also be implemented by software that follows a program. For example, Fig. 11 is a flowchart 
showing the principal part of the procedure for data processing. Fig. 1 1 shows the procedure corresponding to the 
entire procedure of Fig. 4. 

Step S1: Initialize to 0 a variable i representing the repeat count of processing. 



Step S2: Perform initial transformation of an input plaintext and split it into left and right block data L i and R jt 
Step S3: Process the right block data Rj by a nonlinear function using the subkey k s to generate the block data 

Step S4: Perform liner processing of the left block data R, by the block data Y, to generate the block data L*. 

Step S5: Change the right block data Rj to new left block data L f and the block data L* to new right block data 
Ri- 
se p S6: Increment the variable i by one. 

Step S7: Check to see if i has reached N, and if not, return to step S3 and repeat steps S3 to S7. 

Step S8: If it is decided in step S7 that the variable i has reached N, combine the left and right data 
L, and Rj and output the result of final transformation as output data C. 

[0080] Details of the process by step S3 in Fig. 11 correspond to the process by the nonlinear function part 
304 shown in Fig. 5, and the procedure is depicted in Fig. 12. 

- Step S31: Perform first key-dependent liner transformation of the right data R t into the data R*. 

Step S32: Split the data R* into n m-bit data in 0 , in v .... in^ (where m = 8 and n = 4, for instance). 

Step S33: Read out data mid o0 , mid 01 mid 0(n . n) from n first S-boxes using the data in 0 , tn 1 in^ as 

addresses. 

Step S34: Perform key-dependent linear transformation of the data mid 00 to mid 0(n . 1} by the subkey k n to 
generate data mid 10 to mid 1(n . 1} . 

Step S35: Read out data out 0 to out n-1 from n second S-boxes using the data mid 10 to mid 1(n-1) as addresses. 
Step S36: Combine the data out 0 to out,,.., into data Y*. 

Step S37: Perform third key-dependent liner transformation of the data Y* f to generate data Y, and output it. 

[0081] The operations in step S34 may be the operations by Equations (7-1) to (7-4) or Equation (9) using the 
definitions by Equations (8-1) to (8-4). While Fig. 11 depicts the procedure that repeats steps S3 to S7 by the 
number of rounds involved, the individual processes by the round processing parts 38 0 to 38 N . n shown :n Fig. 3 may 
also be programmed intact to implement the data diffusion part according to the present invention. 

Fourth Embodiment 

[0082] The first embodiment depicted in Fig. 4 is an embodiment in which the basic linear transformation part 
344A of Fig. 6, which constitutes the second key-dependent liner transformation part 344 of the nonlinear function 
part 304 (Fig. 5). is represented by a 4 x 4 matrix (that is, four inputs-four outputs). The fourth embodiment will be 
described below in connection with the case where the linear transformation part 344A is represented by an 8 x 8 
matrix. 

[0083] Fig. 13 illustrates the function configuration of the encryption procedure in the data transformation 
device according to the fourth embodiment of the present invention. This configuration itself is identical with that 
of the first embodiment but differs from the latter in the data length and the split number n of data to be split in 
the nonlinear function part 304. 

[0084] The input data M is transformed in the initial key-dependent transformation part 302 using the key data 
fk stored in the key storage part 322 and is split to left and right block data L 0 and R 0 in the initial splitting part 
303. For example, 128-bit data is split into two pieces of 64-bit block data L 0 and R 0 . The key-dependent initial 
transformation part 302 performs a liner transformation such as exclusive ORing of the key data fk and the input 
data M or bit rotation of the input data M by the key data fk, or nonlinear transformation by a combination of 
multiplications. 

[0085] The right block data Rq is provided to the nonlinear function part 304 together with the key data 
*W C and k 02 stored in the key storage part 322, and in the nonlinear function part 304 it is nonlinearly 
transformed to data Y 0 . The data Y 0 and the data L 0 are transformed by a linear operation to data L 0 * in the liner 
operation part 305. The data L 0 * and the data R 0 undergo data-position swapping in the swapping part 306 to - 



provide L^Rq and R,*-^*, and the pieces of data L 1 and R, are fed to the next first round processing part 381. 

[0086] Thereafter, in an i-th round processing parts 3 ^ (where i = 0, 1 N-1) the same processing as 

mentioned above is repeated for two pieces of input block data L, and R,. That is, the right block data Rj is input 
to the nonlinear function part 304 together with the key data k [0t k jn and k i2 , and in the nonlinear function part 304 
it is nonlinearly transformed to block data Yj. The block data Y, and the block data Lj are transformed to data L* by 
a linear operation in the linear operation part 305. The data L,* and the data R ( are swapped in data position in the 
5 swapping part 306, that is, L i0 <-R it Rj +1 <— Lj*. The linear operation part 305 is to perform, for instance, an 
exclusive OR operation. 

[0087] Letting N represent the number of rounds suitable to provide security of a data transformation device, 
two pieces of left and right data L N and R N are obtained as the result of such repeated processing. These pieces of 
data L N and R N are combined into a single piece of block data in the final combining part 307; for example, the two 
10 pieces of 64-bit data L N and R N are combined to 128-bit data. Then the thus combined data is transformed in a final 
linear transformation part 308 using the key data ek stored in the key storage part 322, and output data C is 
provided as a ciphertext from the output part 309. 

[0088] In decryption, the plaintext M can be derived from the ciphertext C by reversing the encryption 
procedure. In particular, when the key-dependent final transformation part 308 is one that performs transformation 
inverse to that of the key-dependent initial transformation part 302, the decryption can be done by inputting 
15 ciphertext data in place of the input data in Fig. 13 and then inputting the key data in a sequential order reverse 
to that in Fig. 13, that is, ek, k (N . 1)Q( k (N . 1)V k (N . 1)2 k 10 , k 1v k 12 , k^, k^, k^, fk. 

[0089] Next, a detailed description will be given of the internal configuration of the nonlinear function part 
304. Fig. 14 is a diagrammatic showing of the internal functional configuration of the nonlinear function part 304. 
[0090] The right block data R s is input to the nonlinear function part 304 together with the key data k i0 , k n and k 

20 i2 stored in the key storage part 322. In the first key-dependent linear transformation part 341 the right block 
data Rj is transformed to data R * = Rj@k i0 , for example, by XORing with the subkey data k i0 . The thus transformed 
da:a R^ is split to n = 8 pieces of data in 0 , in v in 2 , .... in 7 in the splitting part 342. The eight pieces of data in 0 to 
in 7 are nonlinearly transformed to data mid 00 to mid 07 in nonlinear transformation parts 343 0 to 343 7 , thereafter 
being input to the second key-dependent linear transformation part 344 using the key data k jv 

25 [0091] The second key-dependent linear transformation part 344 performs linear transformation (XORing) 
among the pieces of data mid 00 , mid 01 , rnid 02 , .... mid 07 input from eight routes to provide new data of eight routes, 
and further performs linear transformation (XORing) among these pieces of data of the eight routes with eight parts 

of the key data k (1 to provide output data mid 10 , mid lv mid 12 mi 17 of the eight routes. The eight pieces of 

da;a are input to nonlinear transformation parts 345 0 , 345 v 345 2 , .... 345 7 , wherein they are transformed to data out 
0 , out,, out 2 , .... out 7 , respectively. These eight pieces of data are combined into data Y* in a combining part 346; 

30 furthermore, in the third key-dependent linear transformation part 347 the data Y* undergoes linear transformation 
with the key data k j2 to generate output data Yj. 

[0092] The second key-dependent linear transformation part 344 contains the linear transformation part 344A 
expressed by an n * n matrix as described previously with respect to Fig. 6; in this embodiment n = 8. In this 
instance, assume that the linear transformation part is bijective. That is, rank(P) = 8. A description will be given 
of the determination of an 8 x 8 matrix P that yield a maximum value of n d as described in the embodiment 1. In 

35 this instance, the security threshold T is reduced one by one in the order T = 8, 7 and the following algorithm 

is executed for each value. 

Step 1: Set the security threshold T (where T is an integer such that 2 < T < n). 

40 Step 2: Prepare a set of column vectors C whose Hamming weights are equal to or larger than T-1. 

Step 3: Select a subset P c of eight column vectors from the set C. If rank(P c ) * 8, then the subset P c is not 
accepted as a candidate. 

Step 3-1: Compute n d for P c as follows. 

45 

m For any two columns (columns a, b): 
# For any three columns (columns a, b, c): 
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nd, = 3 + min#{(tia^t ic ) I t^et^, o<i< 8} 
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Hd2 = 3 + min # {( t i»' t ib' t ic) I Exception of (0,0,0),( 1,1,1), 0<i< 8} 

(».b.c) 

. For any four columns (columns a, b. c. d): 

r, =4+ ^M(* ttt^l (0,0,0,l),(0,O f l,0),(0,lAO),OAO,0) 0<i<g) 
nd3^ + mig # {(^^WI (0,U,1),(1,0,1,1),(UA1),(1,1,1,0) ' u -^*> 

^^ + min # {(^ t ibAc» t id) I Exception of (o.oaommaoww.i.imiai.d, 0<i< 8} 
n d5 =s4+ min^ft-'WicAd) I Exception of (o.o.o.oui.o.i.ouo.i.i.d.o.i.o.d, 0<i< 8} 

(i.b.c.d) 

^ = ^ + min*{( t i»» t ib» t ic» t ui) I Exception of (o f o.o.oMi f o.o.iwo.i.i.iMi.M.i», 0<i< 8} 

U.b.e.d) 

^v^^min^iC^Wic^d) I Exception of (o.o.o.oj^d.m.omiaumwai), 0<i< 8} 

U.b,c,d) 

n d8 ==4+ mill # {( t ia> t ib»Wid) I Exception of (o.o.o.om i.o, i).a.o.i,)).(u.i,o), 0<i< 8} 

(».b.c,d) 

n d9 aa;4+ min # {(Wib»Wid) i Exception of (o.o.o,ouo,o,i.i).(i.i.o.i).(i.i.J,o), 0<i< 8} 

(-,b,c.d) 

n d = min{n di | 0<i<9} 



[0093] Intuitively, Equations n d0 to n d9 represent the minimum number of active s-boxes in the second 

45 nonlinear transformation part 345 (second term on the right-hand side) and the total number of active s-boxes (the 
left-hand side) at that time, when the number of active s-boxes in the first nonlinear transformation part 343 
(first term on he fight-hand side) is determined. For example, when there are two active s-boxes in the first 
nonlinear transformation part 343, its difference values can be represented as Az a and Az b , respectively. At this 
time, 

50 [Az'J = [t ia Az a ©t ib A2 b ] (0<i<8) (11) 

In particular, when Az a = Az b , 

[Az'J = [(t ja ©t jb )Az n ] (0<i<8) (12) 
Accordingly, the minimum number of active s-boxes in this case is given by n d0 . 

[0094] As a result of our search for the matrix P through of the above search algorithm, it has been found that 
55 there is no matrix with n d £ 6 = T but that there are 10080 candidate matrices with n d = 5 = T. Hence, the 
invulnerability of the round function using such a matrix P against differential cryptanalysis is p < p s 5 . And the' 
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invulnerability against linear cryptanalysis is also q < p s 5 . 

[0095] The construction of the linear transformation part is determined among the above-mentioned 10080 
candidate matrices P. The determination of the construction by an exhaustive search involves a 
computational complexity of approximately (8*7) 16 *2 93 when 16 XORs are used-this is impossible to perform. 
Then, the construction is limited to one that the linear transformation part 344A is composed of four boxes B1 to B4 
with 8 inputs and 4 outputs as depicted in Fig. 15A. The boxes are each formed by four XOR circuits as shown in 
Fig. 15B and designed so that every input line passes trough one of the XOR circuit. Accordingly, the linear 
transformation part 344 A comprises a total of 16 XOR circuits. In this instance, the computational complexity is 
around (4x3*2*1 ) 4 =2 18 , which is sufficiently small for the exhaustive search. 

[0096] While in Fig. 15A four transformation boxes are alternately inserted in the lines of left and right four 
routes, these lines may be determined to be arbitrarily selected four lines and the other remaining four lines. Each 
transformation box is supplied with inputs from the four lines in which it is inserted and inputs from the remaining 
four lines and outputs the results of transformation to the former four lines. 

[0097] As the result of searching the 10080 matrices obtained by the above search algorithm for matrices 
which constitute the unit matrix I with 16 primitive operations (XORs) while satisfying the construction of Fig. 15, 
it was found that there are 57 constructions. The matrix P of one of such construction is shown below. 
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(13) 



In Fig. 16 there is depicted an example of the construction of the linear transformation part 344A using this matrix, 
together with the nonlinear transformation parts 343 and 345. As shown, four transformation boxes B1 to B4 are 
alternately inserted in lines of four left and right routes from eight S-boxes forming the first linear 
transformation part 343, and consequently, two XOR circuits are inserted in each line. 

[0098] _ As. is the case with the 4x4 matrix in the first embodiment, it can be as certained as mentioned below 
whether the matrix for the mask value path is a transposed matrix of the matrix P in the linear transformation part 
344A of Fig. 16 and whether n n =5 correctly holds. By constructing a mask value path in the linear transformation 
part 344A of Fig. 16 using concatenation rules defined by Theorem 2 in the Appendix, the matrix T P for the mask 
value path can be computed as follows: 
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(14) 



This indicates that the matrix T P is a transposed matrix of the matrix P. Further, it can be confirmed that the 
minimum number of active s-boxes is n., = 5. 

[0099] Fig. 17 illustrates concrete examples of the second key-dependent linear transformation part 344 which 
comprises the linear transformation part 344A of the construction determined above and a key transformation part 
3443. 

[0100] The key transformation part 344B calculates the XORs of the key data K j10 k m , K jl2 .... k j17 and the 
outputs from the linear transformation part by XOR circuits 63 0 , 63 v 63 2 , 63 7 , and yield output data mid 10 . 
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mid lv mid 12 mid 17 . With such a functional construction as depicted in Fig. 17, the following operations are 

performed. 

mid 10 =mid 01 @mid 02 ©mid 03 ©mid M emid 05 ®mid 06 ©k no (15-1) 
mid^^id^emid^emid^emid^emidpgemid^ek,^ (15-2) 
mid l2 =mid oo emid 0i emid o3 ©mid 04 emid 06 @rnid 07 ©k j12 (15-3) 
mid 13 =mid 00 ©mid 01 ®mid 02 emid 04 ©mid 05 @rnid 07 ©k j13 (15-4) 
mid 14 =mid 00 @mid 01 ©mid 03 ©mid 04 ©mid 05 ©k jl4 (15-5) 
mid 15 =mid 00 ©mid 0l ©mid 02 ©mid 05 ©mid 06 ©k jl5 (15-6) 
mid l6 =rnid 01 ©mid 02 ©mid 03 ©mid 06 ©mid 07 ©k jl6 (15-7) 
0 ©mid 02 ©mid 03 ©miu 04 ©rniu 07 ©k j17 (15-6) 



[0101] The above operations generate the data mid 10( mid 1v mid 12( mid 17 . Incidentally, the subkey k tl is 

composed of eight pieces of data k j10 , k j1v k j12 k j17 . In Fig. 17, the pieces of data mid 00 to mid 07 are input to 

routes 60 0 to 60 7 , respectively. 
15 [0102] The XOR circuits 61 4 , 61 5 , 61 6 , 61 7 on the routes 60 4 , 6 0 5 , 60 6 , 6 0 7 calculate the XORs of the data mid 
04 and mid 00 , mid 05 and mid ov mid 06 and mid 02 , mid 07 and mid 03 , respectively. 

[0103] The XOR circuits 61 0 , 61 v 61 2 , 61 3 on the routes 60 0 , 60 v 60 2 , 60 3 calculate the XORs of the data mid 
00 and the output from the XOR circuit 61 6 , the data mid 01 and the output from the XOR circuit 61 7 , the data 
mid 02 and the output from the XOR circuit 61 4 , the data mid 03 and the output from the XOR circuit 61 
respectively. 

20 [0104] The XOR circuits 62 4 , 62 5 , 62 6 , 62 7 on the routes 60 4 , 60 5 , 60 6 , 60 7 calculate the XORs of the outputs 
from the XOR circuits 61 3 and 61 4 , the outputs from the XOR circuits 61 0 and 61 5 , the outputs from the XOR 
circuits 61 , and 61 6 , the outputs from the XOR circuits 61 2 and 61 7 , respectively. 

[0105] The XOR circuits 62 0 , 62 v 62 2 , 62 3 on the routes 60 0 , 60 v 60 2 , 60 3 calculate the XORs of the outputs 
from the XOR circuits 61 0 and 62 4 , the outputs from the XOR circuits 61 n and 62 5 , the outputs from the XOR 

25 circuits 61 2 and 62 6 , the outputs from the XOR circuits 61 3 and 62 7 , respectively. 

[0106] Furthermore, the XOR circuits 63 0 to 63 7 on the routes 60 0 to 60 7 XOR the outputs from the XOR 
circuits 62 0 to 62 7 and the key data k j10 to k j17 , respectively, providing the outputs mid 10 to mid 17 from the routes 
60 0 to 60 7 . That is, the outputs mid 10 to mid 17 are the XORs of six pieces of data selected from the input data 
mid 00 to mid 07 and the key data, and the outputs mid 14 to mid 17 are the XORs of five pieces of data selected from 

3 0 the input data mid 00 to mid 07 and the key data. 

[0107] Turning back to Fig. 14, the pieces of data mid 10 , mid lv mid 12 , .... mid 17 are nonlinearly transformed to 
pieces of data out 0 , out v out 2 , .... out 7 in the nonlinear transformation parts 345 0 , 345 v 345 2 , 345 7 , and in the 
combining part 346 the eight pieces of data out 0 , out v out 2 , .... out 7 are combined into a single piece of data Y*. 
Finally, the data Y* is linearly transformed to data Y i( for example, by a k j2 -bit left rotation in the third key- 
dependent linear transformation 347 using the key data k i2l thereby generating the output data Y t from the 

35 nonlinear function part 304. 

[0108] The nonlinear transformation parts 343 0 to 343 7 and 345 0 to 345 7 function just like S-boxes for DE3 
cipher, and they are each formed by, for example, ROM, which receives input data as an address to read out 
therefrom the corresponding data. 

[0109] The eight nonlinear transformation parts 343 0 to 343 7 are arranged in parallel and their transformation 
40 processes are not associated with one another, and hence they can be executed in parallel. The. same goes for the 
nonlinear transformation parts 345 0 to 345 7 . Thus, the linear transformation operations can be executed in one step 
for each group (a total of two steps). Letting p represent the differential/liner probability of the nonlinear 
transformation parts 343 0 to 343 7 and 345 0 to 345 7 , the nonlinear function part 304 provides a differential/linear 
probability p 5 as a whole when the second key-dependent linear transformation 344 has such a construction as 
shown in Fig. 17. Accordingly, when the number of rounds of the entire data transformation device is 3r, an 
approximate representation is obtained with a probability P < p 10r ; for example, when r = 4 (12 rounds), P < p 40 . In 

the case of DES cipher, this corresponds to 60 or more rounds, making it possible to provide a data transformation 
device sufficiently secure against differential cryptanalysis and linear cryptanalysis. Incidentally, the second key- 
dependent linear transformation part 344 is not limited specifically to the linear transformation part depicted in 
Fig. 17 but may be modified as shown in Fig. 18, for instance. In this instance, the following operations are 
50 conducted. 
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mid 10 =mid 01 @mid 02 ©mid M @mid os ®mid 06 emid 07 ek (lo (16-1) 
mid 11 =mid 01 @mid 02 ©mid 03 ©mid 0il @mid 06 @k jV (16-2) 
mid 12 =mid 00 ©mid 01 ©mid 03 ©mid 04 emid 05 emid 06 @k j12 (16-3) 
mid l3 =mid 00 @mid 03 ©mid 04 ©mid 06 @mid 07 ©k (1 3 (16-4) 
mid 14 =mid 00 ©mid 02 ©mid 03 ©mid 05 @mid 06 ©mid 07 ©k i14 (16-5) 
mid l5 =mid 00 ©mid 01 ©mid 02 ©mid 05 @mid 06 ©k j15 (16-6) 
mid 16 =mid 00 @mid 01 ©mid 02 @mid 03 ©mid 04 ©mid 07 ©k j16 (16-7) 
mid 17 =mid 00 @mid 02 ©mid 04 ©mid 05 ©mid 07 ©k jl7 (16-8) 



[0110] Alternatively, the circuit construction of Fig. 19 may be used, in which case the following operations 
are performed. 

mid l0 =mid 00 @mid 0l ©mid 04 ©mid 05 ©mid 06 ©k j10 (17-1) 
mid 1l =mid 01 ©mid 03 ©mid 04 ©mid 05 @mid 07 ©k (1l (17-2) 
mid 12 =mid 00 @mid 02 ©mid 04 ©mid 06 @mid 07 ©k M2 (17-3) 
mid 13 =mid 02 @mid 03 ©mid 05 ©mid 06 ©mid 07 ©k j13 (17-4) 
mid 14 =mid 00 @mid ol ©mid 03 ©mid 05 ©mid 06 ©mid 07 ©k j14 (17-5) 
mid 15 =mid 01 @mid 02 ©mid 03 ©mid 04 @mid 06 @mid 07 ©k jl5 (17-6) 
mid l6 =mid 00 ©mid 01 ©mid 02 @mid 04 ©mid 05 @mid 07 ©k i16 (17-7) 
mid 17 =mid 00 @mid 02 ©mid 03 ©mid 04 ©mid 05 ©mid 06 ©k j17 (17-8) 



[0111] As is evident from the operations in Figs. 17 to 19, the second key-dependent linear transformation part 
344 performs key-dependent linear transformation which yields a total of eight pieces of output data mid 10 , mid 11( 

mid 12 mid 17 , that is, four pieces of output data derived from six pieces of data selected from the eight pieces 

of input data mid 00 , mid ov mid 02 mid 07 and four pieces of output data derived from five pieces of data selected 

from the eight pieces of input data. If this linear transformation is one that the eight pieces of input data mid 00 , 
mid 01 , mid 02 , mtd 07 each affect the output data of at least four or more other routes (for instance, in the Fig. 
17 example the input data mid 00 affects the six pieces of output data mid 1v mid 12 , mid 13 , mid 14 , midland mid 17 ), 
the nonlinear function part 304 provides a differential/linear probability p 5 a whole as described previously with 
reference to the Fig. 17. 

[0112] The key data {fk, k 00 , k ov k^, k 10 , k 1v k 12 , .... k (N . 1J0 , k (n . 1)V k (N . 1)2t ek} is data provided by inputting the 
master key via the key input part 320 to the expanded key generation part 321, transforming it to key data and 
storing it in the key storage part 322. 

[0113] ; The expanded key generation part 321 may be made identical in construction with the expanded key 
generation part 21 for DES cipher shown in Fig. 1, or an expanded key generation part disclosed in U. S. Patent 
No. 4,850,019. 

[0114] Since the initial key-dependent transformation part 302, the final key-dependent transformation part 
303 and the key-dependent linear transformation parts 341, 344 and 347 are key-dependent linear transformation 
means, the data transformation device is also sufficiently secure against other cryptanalysis techniques than 
differential and linear cryptanalysis. 

[0115] The fourth embodiment is not limited specifically to the above constructions; if speedup is desired, any 
one of the initial key-dependent transformation part 302, the final key-dependent transformation part 308 and the 
key-dependent linear transformation parts 341, 344 and 347 may be omitted or modified to key-independent 
transformation means. In this case, the encryption speed can be increased without significantly diminishing the 
security against differential cryptanalysis and linear cryptanalysis. 

Fib h Embodiment 

[0116] A description will be given of a modified form of the functional configuration of the nonlinear function 
part 304 in the same data transformation device as the fourth embodiment depicted in Fig. 13. The basic 
construction of this embodiment is the same as that of the fourth embodiment of Fig. 13 except that the nonlinear 
transformation parts 343 0 to 343 7 in the nonlinear function part 304 of Fig. 14 are modified like the nonlinear 
transformation parts 343 0 \ 343^, 343 2 ' and 343 3 ' in the second embodiment depicted in Figs. 8A through 8D so that 
they output expanded data. The second key-dependent linear transformation part 344 is similar construction to that 
shown in Fig. 9. 

[0117] As depicted in Fig. 13, the right block data R, is input to the nonlinear function part 304 together with 
the key data k i0 , k iV k j2 stored in the key storage part 322. In the first key-dependent liner transformation part 
341 the data R ; is, for example, XORed with the key data k i0 and hence is linearly transformed to data Rj* = 

£r k 

R* ' i0 as in the case of Fig. 14. Then the data R * is split into eight pieces of data in 0 , in v in 2 in 7 in the 

splitting part 342. The eight pieces of data in 0 , in v in 2 , in 7 are nonlinearly transformed to data MID 00) MID 0V MID 



02 MID 07 in the nonlinear transformation parts 343 0 \ 34 3,*, 343 2 ' 343/, respectively. The nonlinear 

transformation part 343 0 ' is so designed as to transform the m-bit data in 0 to the following 8xm-bit data. 

MID 00 =[00...0 (2) , mid 00 , mid 00 , mid 00 , mid 0o , mid 00 , 00.. .0 (2 ,, rnid 00 ] (18-1) 
That is, the nonlinear transformation part 343 0 ' has, for example, as shown in Fig. 20A, an S-box which outputs the 
data mid 00 in high-order m bits as does the nonlinear transformation part 343 0 in the fourth embodiment of Fig. 14 
5 and outputs "00...0 (2) " as low-order m bits; furthermore, it branches the output data mid 00 in six routes and 
,, 00...0 (2) " in two other routes. 

[0118] The nonlinear transformation part 343/ has, as depicted in Fig. 20B, an S-box 343, which outputs the 
data mid 01 in high-order m bits and outputs "00...0 (2) " as iow-order m bits; furthermore, it branches the output data 
mid 01 in six routes and m-bit data "00.. .0" in two other routes. The oiher noniinear transformation parts 343 2 ' to 
1Q 343/ are also similarly constructed; in Fig. 20C there is depicted the construction of the nonlinear 
transformation part 343/ but no description will be repeated. These nonlinear transformation parts 343/ to 343/ 
transform data in, to in 7 to the following data MID 01 to MID 07 , respectively. 

MID 01 =[mid ov 00.. .0 mid 01 , mid 01 , mid ov mid ov mid 01 , O0...0 2> ] (18-2) 
MID 02 =[mid 02 , mid 02 , 00... 0 (2)I mid 02 , O0...0 (2) , mid 02 , mid 02 , mid 02 ] (18-3) 
15 MID 03 =[mid 03 , mid 03 , mid 03 , O0...0 (2)( mid 03 , O0...0 (2)f mid 03 , mid 03 ] (18-4) 

MID 04 =[mid 04 , 00.. .0 mid 04 , mid 04 , mid 04 , 00.. .0 O0...0 (2) , mid 04 ] (18-5) 
MlD 05 =[mid 05 , mid 05 , 00.. .0 mid 05 , mid 05 , mid 05 , 00...0 (2) , 00...0 (2) ] (18-6) 
MID 06 =[mid 06 , mid 06 , mid 06 , 00...0 (2) , 00...0 (2) , mid 06 , mid 06 , 00...0 (2) ] (18-7) 
MID 07 =[00...0 (2) , mid 07 , mid 07 , mid 07 , 00...0 (2) , 00...0 {2)I mid 07 , mid 07 ] (18-8) 
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[0119] These pieces of data MID 00 to MID 07 can be predetermined in the same manner as described 
previously in connection with Equations (8-1) to (8-4) in the second embodiment. That is, the data MlD 00 is a set 
of data which is obtained at the outputs of the eight routes of the linear transformation part 344A in Fig. 17 when 
pieces of data mid 00 and mid 02 to mid 07 except mid 01 are all set as "00...0 (2) ." The same goes for the data MID 02 to 
MID 07 . These nonlinear transformation parts 343 0 ' to 343/ may be formed by memory from which the pieces of 
data MID 00 to MID 07 are directly read out using the data in 0 to in 7 as addresses. 

[0120] Then the pieces of data MID 00 to MID 07 are input to the second key-dependent linear transformation 
part 344 using the key data k n as shown in Fig. 21. The second key-dependent linear transformation part 344 is 
made up of XOR circuits 41, to 41 4 each of which XORs two pieces of input data, XOR circuits 42, and 42 2 each of 
30 which XORs the outputs from two of them, an XOR circuit 43 which XORs their outputs, and an XOR circuit 44 
which XORs its output and the key data k jV With this construction, the following operation is conducted. 

M I D , = M I D oo 0M I D 0 ,©M I D 02 ©M I D 03 ©M I D 04 ©M I D 05 ©M I D 06 ©M I D o7 0kj , (19) 

This output MID, is split into eight blocks, which are output as data mid, 0 , mid,,, mid 12 mid, 7 . Eventually, the 

linear transformation by the second key-dependent linear transformation part 344, expressed in units of m-bit 
35 subblocks, becomes as follows: 

mid 10 = mid o ,©mid 02 emid O3 ©mid 04 ©mid 05 @mid 06 @k no (20-1 ) 

mid,, = midooemid^emid^emid^mid^emidoyekj^ (20-2) 
mid, 2 = mid O0 ©mid 0 ,©mid 03 ©mid 04 ©mid 06 @mid 07 ©k j12 (20-3) 
mid, 3 = mid 00 ©mid 0 ,©mid 02 ©mid 04 ©mid 05 ©mid 07 ©k i13 (20-4) 
40 mid, 4 = mid 00 ©mid 0 ,©mid 03 ©mid 04 ©mid 05 ©k n4 (20-5) 

mid 15 = mid 00 @mid 0 ,©mid 02 ©mid 05 ©mid 06 @k j15 (20-6) 
mid, 6 = mid o ,©mid 02 ©mid 03 ©mid 06 ©mid o7 @k i16 (20-7) 
mid 17 = mid 00 ©mid 02 ©mid 03 ©mid 04 ©mid 07 @k j17 (20-8) 
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The above equations express a linear transformation equivalent to that by Equations (15-1) to (15-8) described 

previously with reference to Fig. 17. As a result, the same pieces of data mid, 0 , mid,,, mid, 2 mid 17 are 

generated. Incidentally, the subkey data k n is composed of eight pieces of data k jl0 , k nv k j12 , .... k i17 . 

[0121] Next, the eight pieces of data mid, 0 , mid,,, mid 12 mid 17 are nonlinearly transformed to eight pieces 

of data out 0 , out,, out 2 ,- .... out 7 in the nonlinear transformation parts 345 0 , 345,, 345 2 345 7 in Fig. 14, and the 

eight pieces of data out 0 , out,, out 2 , .... out 7 are combined into a single piece of data Y,* in the combining part 346. 
Finally, the data Y* is linearly transformed to data Y, by, for example, a k i2 -bit left rotation in the third key- 
dependent linear transformation part 347 using the key data k l2 . 

[0122] As depicted in Fig. 21, the second key-dependent linear transformation part 344 uses eight XOR 
circuits but implements the linear transformation equivalent to that in Fig. 17 (which uses 24 XOR circuits), and 
hence it permits faster transformation than the fourth embodiment. 

[0123] Furthermore, as is the case with the fourth embodiment, the eight nonlinear transformation parts 
343 0 to 343 3 and 345 0 to 345 3 are arranged in parallel and their nonlinear transformation processes are not' 



associated with one another, and hence they can be executed in parallel. Besides, letting p represent the 
differential/liner probability of the nonlinear transformation parts 343 0 ' to 343/, the differential/linear probability 
of the nonlinear function 304 becomes p 5 as a whole. 

[0124] In the above, the second (key-dependent) linear transformation part 344 may perform the 

transformation by XORing of the input subdata without depending on the key k^. That is, the XOR circuits 63 0 to 63 
7 in Fig. 17 and the circuits corresponding thereto in Figs. 18, 19 and 21 may be omitted. 

[0125] Moreover, in the above, the first key-dependent linear transformation part 341, the second key- 

dependent transformation part 344 and the third key-dependent transformation part 347 need not always be key- 
dependent, that is, the linear transformation may be performed in subdata without inputting the key data to them. 
[0126] The data transformation processing in the fourth and fifth embodiments described above may also be 
implemented by executing a program of its procedure by a computer. The procedure is the same as shown in Figs. 
11 and 12; hence, no description will be repeated. 

[0127] Fig. 22 illustrates an example of the system configuration wherein the program for the data 

transformation processing described in connection with the first to fifth embodiment is prerecorded on a recording 
medium and is read out therefrom to perform the data transformation according to the present invention. A central 
processing unit (CPU) 110, a read-only memory (ROM) 120, a random access memory (RAM) 130, a storage 
device (a hard disk HD, for instance) 140, an I/O interface 150 and a bus interconnecting them constitute an 
ordinary computer 100. The program for implementing the data transformation process according to the present 
invention is prestored on the recording medium such as the hard disk HD. In the ROM 120 there are stored 
respective S-boxes in tabular form. In the execution of the data transformation the program is read into the RAM 
130 from the hard disk HD 140, and upon input of the plaintext M via the interface 150, then the program is 
executed under the control of the CPU 110, and the resulting output data C is output via the interface 150. 
[0128] The program for the data transformation process may be one that is prestored in an arbitrary external 
storage device 180. In such an instance, the program can be used after once transferred via a driver 170 from the 
external storage device 180 to the hard disk 140 or the RAM 130. 

[0129] Though not shown, when the output data C is sent over a communication line or the Internet, only a 
person who has a common secret key is qualified to decrypt the output data C. Since the data C transformed 
according to the present invention is highly resistant to differential cryptanalysis and linear cryptanalysis, it is 
possible to achieve transmission of information with increased security. 

[0130] Incidentally, when in each embodiment the key scheduling part 20 has the same construction as 
depicted in Fig. 3, the subkeys used' as k; and k i+1 in the data diffusion part 10 become the outputs 
Q 2; and Q 2j+1 (where i = 2j) from the key processing part 2^ in the key scheduling part 20. On the other hand, since 
it is the subkeys k N and k N-1 that are very likely to be analyzed by differential cryptanalysis or linear 
cryptanalysis, a combination of data diffusion parts with these pieces of information allows ease in finding other 
subkeys. 

'[0131] The embodiment described below is intended to solve this problem by using a more complex key 
scheduling algorithm in the key scheduling part 20 for generating subkeys in the data transformation device of Fig. 
4 that is typical of the embodiments described above. With a view to preventing that success in analyzing the 
subkeys k N and k N ^ leads to the leakage of much information about the outputs from other data diffusion parts, the 
following embodiment employs a G-function part which performs the same function as that of the key diffusion part 
22 depicted in Fig. 3 (the function fk in Fig. 3); furthermore, there is provided an H-function part which possesses 
a data extracting function by which information necessary for generating subkeys is extracted from a required 
number of L components as uniformly as possible which were selected from L components once stored in a 
storage part after being output from the G-function part according to a first aspect of key generation. According to 
a second aspect, partial information that is used as subkeys is extracted in the H-function part from the L- 
components output from the G-function part and is stored in a storage part, and necessary information is extracted 
from a required number of L-components to thereby generate the subkeys. 

[0132] In the case of DES , since the subkeys are generated by only swapping bit positions of the master key, 
the key scheduling process is fast. However, there is a problem that if the some subkeys is known, the 
corresponding master key can be obtained immediately. 

[0133] To provide increased complexity in the relationship between the master key and the subkeys without 
involving a substantial increase in the computational complexity for key scheduling and without increasing the size 
program of the key scheduling part, the G-function is constructed as the data diffusion function through the use of 
the F-function to be used in the data diffusion part or a subroutine forming the F-function (which functions 
W ji; hereinafter be denoted by f), and a plurality of intermediate values L are generated by repeatedly using the G- 
function. 

[0134] The G-function is adapted to operate on two input components (Y, v) and generate three output 
components (L, Y, v). The bits of the component Y is equal to or larger than the bits of the master key K. 
[0135] To supply subkeys to the data diffusion part, the G-function is called a required number (M) of times to 
generate M components L (where 0 <j < M-1). Letting the output from the G-function called a j-th time be 
represented by (L jf Y jp Vj), part of this value is used as the input (Y j+1 = Y j( Vj. n = v^ to the G-function called a (j+1) 
-th time. Assume here that Y 0 is a value containing K and that v 0 is a predetermined value (0, for instance). 
[0136] For the given master key K, the subkey k ( (where i = 0, 1. 2, .... N-1) is determined as follows: 



(L |( (Y v Vl )) = G(Y 0 , v 0 ) (21) 

(L J+1 , (V ]+v v J+1 )) = G(Y Vj ) 0 = 1.2, .... M-1) (22) 

k, = H(i. L V L 2 L M ) (1 = 0,1,2 N-1) (23) 



where the H-function is means to extract from each component L, information about the bit position determined by 
the suffix i as required according to the suffix i of the subkey and the M components L output from the G-function. 

Sixth Embodiment 
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application to the key scheduling part 20 shown in Fig. 4A. The master key K is input to an intermediate key 
generation part 220; the intermediate key generation part 220 has a plurality (M rounds) of G-function parts which 
operate in cascade, and generates intermediate keys L 1 to L M , which are stored in a storage part 230. The 
intermediate keys L., to L M stored in the storage part 230 are provided to a subkey generation part 240, wherein 
subkeys kj are generated based on an H-function part. The structure and operation of each part will be concretely 
described below. 

[0138] This example is intended to increase the security of the key scheduling part shown in Fig. 8 using a 
data randomization part disclosed in the aforementioned U. S. patent issued to Miyaguchi et al. This embodiment 
will be described as being applied to the key scheduling part (Fig. 3) in the U. S. patent of Miyagushi et al. when 
N = 16. 

[0139] In Fig. 3 16 Q components are obtained by an 8 (= N/2) rounds of data diffusion parts. Here, 

let Qj represent the respective Q component. Each Qj component is 16-bit. The subkey generation part 240 
constructs the subkey k 0 from the value of a first bit of the respective Qj component, the subkey k, from the value 
of a second bit of the respective Q j component, and in general, the subkey k M from the value of an i-th bit of 
the component. That is, letting Qj[i] represent the i-th bit of the Qj component, the subkey k t is expressed by the 
following equation. 

^.^(QJi], Q 2 [i] Qj[i] Q 16 [i]) (24) 

where 1 < i, j < 16. 

[0140] This processing method will be reviewed below in the framework of the G- and the H-function 

mentioned above. Here, Yj represents the value of 64 bits, Yj L the value of high-order 32bits of Y, and Yj R the value 
of low-order 32 bits of Yj. 

[0141] Letting the output from the G-function for the input (Y jf Vj) be represented by 

(L j+1 , (Y j+1 , v j+1 )) = G(Yj, Vj ) (0 < j < 7), (25) 
the output (L j+1 , (Y j+V v j+1 )) is given by the following equations. 

Yj.i L = Y* (26) 

Yj.i R =L j+ , = Y^,) (27) 

v Jt1 = Y/- < 28 > 

The subkey k 4 is given as a function of i and L 1 to L 8 by the following equation. 

K M = H(i, L V L 2 , .... L 8 ) (29) 
Letting each be represented by (tj (1) , tj (2} , .... tj (32> ) the H-function constructed the subkey kj as follows: 

K. = (t^), t^ 16 *'), t 2 < 16+i >, .... \ & W t 6 < 16+i >) (1 < i < 16) (30) 

[0142] Since this method provides 16 subkeys at the maximum, the encryption algorithm described in the U. S. 
patent by Miyaguchi et al. can be used for the structure with a maximum of eight rounds of F-functions. 
[0143] The construction of the intermediate key generation part 220 shown in Fig. 23A will be described below 
with reference to Fig. 24. G-function parts 22-1 to 22-8 are provided in cascade. The master key K is input 
as Y 0 to the first-round G-function part 22-1 together with a constant v 0 , and Y H and v M are input to the G- 
function part 22-j of each j-th round; each G-function part randomizes Y M and outputs L^ Yj and v r Lj is an 
intermediate key and Yj and Vj are fed to the next G-function part 22-(j+1). That is, after setting Y 0 = K and v 0 =0, 
the G-function part 22 is called eight times. The construction of the G-function part is depicted in Fig. 25, for 
which the following process is repeated from j = 0 to j = 7. 

Step 1: Upon input Yj and Vj to the G-function part 22-(j+1), split Yj into two blocks (Yj L , Yj R ) by a splitting 
part 221 in Fig. 25. 



Step 2: Output Y> as v J+v Input Yj L to a data diffusion part (f k ) 222. 

Step 3: Input Y* to a data swapping part 224. Input Yj R and v. to an XOR circuit 223 to compute Y j R ©v j and 
input the result of computation to the data diffusion part (f k ) 222. 

Step 4: Upon receiving Y^ and Y j R ©v j as inputs thereto, the data diffusion part (f k ) 222 outputs the result of 
computation as L jM and, at the same time, input it to the swapping part 224. 

Step 5: Upon receiving Y* and the result of computation L j+1 by the data diffusion part (f K ) 222, the swapping 
part 224 renders Yj R to Y jM L and L j+1 to Y j+1 R then concatenates them to y ^ = ^y ^ y ^ and outputs it. 



[0144] The eight L t components output from the G-function part 22-1 to 22-8 are once stored in the storage 
part 230 (Fig. 23A). 

[0145] Next, a description will be given, with reference to Fig. 26, of the construction of the H-function part 
15 serving as the subkey generation part 240. The H-function part 240 performs the following steps after reading out 
the eight L components L, to L 8 from the storage part 230. 

Step 1: Read out each component Lj from the storage part 230 and input it to a bit splitter 241 to split it 
bitwise as follows: 
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(t/ 1 >, t/ 2 > t/ 32 ))=L j a = 1, 2 8) (31) 

Step 2: Input (t, 0 *, t/ 16 * 0 , t 2 (i) , t 2 (16+i) t fi (i) , t 8 n6+i) to a bit combiner 242 to obtain the subkey as follows: 

k . = (tw, t 2 <» t 2 < 16+i > t .... t a f), t 8 < 16+i >) (i = 1, 2, ... 16) (32) 



[0146] A description will be given, with reference to Figs. 23B, 24, 25 and 27, of another embodiment which 
outputs the same subkey as does the sixth embodiment. 

[0147] As shown in Fig. 23B, a plurality of intermediate keys L s are generated in the intermediate key 
generation part 220. The intermediate key generation part 220 is identical in construction with that depicted in 
Fig. 23A; that is, it comprises the plurality of G-function parts 22 as shown in Fig. 24. Upon each generation of 
the intermediate key L in the G-function part 22, the intermediate key Lj is fed to the subkey generation part 250, 
from which bit position information, which is determined by the suffix i of the subkey kj and its bit position q, is 
35 output as information k jq and is stored in the storage part 260. 

[0148] That is, the intermediate key generation part 220 and the subkey generation part 250 repeat the 
folicwing steps 1 through 7 for each value from j = 0 to j = 7. 

Step 1: Upon input of Yj and v J to the G-function part 22-0+1). split Y j into two blocks (Yj L , Yj R ) by the splitting 
40 part 221. 

Step 2: Output Y> as v j+1 . And input Y> to the data diffusion part (f k ) 222. 

Step 3: Input Yj R to the swapping part 224. And input Yj R and v j to the XOR circuit 223 to calculate Y j R ©v j and 
45 input it to the data diffusion part (f k ) 222. 

Step 4: Upon receiving Y, 1 and Yj"©^. the data diffusion part (f k ) 222 inputs the result of its computation 
as L ^ to the subkey generation part 250 (Fig. 23B) and, at the same time, input it to the swapping part 224. 

50 step 5: Upon receiving Y-* and the result of calculation L j+1 from the data diffusion part (f k ) 222, the swapping 

part 224 renders Y R to Y :+ , L and L + , to Y R then concatenates them to y = #v L Y R ^ and ° ut P uts il - 
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Step 6: As depicted in Fig. 27, the subkey generation part 250 input Lj to a bit splitter 251 to split it 
bitwise as follows: 

{tp\\} 2 > 1^0 = L, 0=1. 2 8) (33) 



and then input tern to an information distributor 252. 

Step 7: The bit string (tj (1) , t^, tj (32) ) input to the information distributor 252 is information on the bit 
position of L } determined by the bit position q of the subkey k t for a suffix i being used as information on the 
bit position q of the subkey kj, and is stored for each L, in one of 16 storage areas of the storage part 260 
5 divided for each subkey 

k. =.(^0), t/ 16 *'), t 2 «, t 2 < 16+i >. .... t B <'>, t 6 < 16+i >) (34) 

Step 8: When 16-bit information is set for each k j( that is, when the subkey k ; generated, output its value (i = 
1.2,' ...,16). 
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Eighth Embodiment 

[0149] With a view to reducing the device size or the number of program steps, this embodiment uses in key 
scheduling an f-function used for encryption. 
15 [0150] This embodiment will also be described in the framework of the G-and H-function. 
[0151] Let the output from the G-function for the input (Y jf vp be represented by 

(L j+V (Y j+1 , v ]+1 )) = G(Y j( v.) (0<j<7) 

and let the output be set as follows: 

20 ((Y/1) Y/2) Y/3), Y/O), Vj ) -> ((LO)^ 2 ) +v L^ (35) 

Here, the following definitions are given. 

Y( 1 > j+1 =f(Y j < i ))(i=1,2 ( 3, 4) (36) 
L<°> j+1 = ^ (37) 

= 1(L«%,)®Y {i) ^ (' = 1. 2. 3, 4) ( 38) 
25 V = L«> j+1 (39) 

Further, in 

k,= H(i, L r L 2 , .... L 8 ) (40) 

30 the following definitions are given. 

q j+4j = L<^> j+1 (i = 0, 1,2, 3 ) (41) 

(t.<0), t ( < 1 > t,< 7 >)=q i (i = 0. 1 31) (42) 

^^U^y* 1 ^**** t(™) 30+(|mod2) )(i = 0, 1, .... 15) (43 ) 
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Suppose that [i/2] in Equation (43) represents J^ i/2 J • 

[0152] This procedure will be described below with reference to Figs. 28 and 26. 
40 Preparation 
[0153] 

Step 1: Set as v 0 a value extracted from 

0123456789abcdef1011 12. ...(hex) by the same number of bits as the bit length of the function f. 

45 

Step 2: Set the master key K at Y 0 . 



50 Generation of Intermediate Key: The following procedure is repeated for j = 0, 1, 2, 7. 

Step 1: Divide equally the input Y, into four (Y/ 1 *, Y/ 2) , Y/ 3 ' Y/ 4) ). 
Step 2: For i = 1, 2, 3, 4, compute y <i> _ f(Y.o)) by data diffusion part 611 to 614. 
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Step 3: set l_ i+1 = v r 



Step 4: For 1 = 1, 2, 3, 4, compute f^L^/** 1 *) by data diffusion part 621 to 624, and input the result of 
computation to an XOR circuit 63i to XOR it with Y t+1 (i> to obtain i o> _ * n (ni^y fl>- 

Step 5: set Y = ry O) y (2) v < 3 > Y < 4 >V 

5 

Step 6: set L = t <i) i (2) i < 3 > I < 4 >V 
Step 7: Set „ - i (4). 

*0 Generation of Subkey: As is the case with the sixth embodiment, Equation (43) is implemented to 
obtain k v k 2 k N (where N < 16). 



15 [0154] This embodiment is not limited specifically to the above but can also be carried out in the following 
manner: 

(1) When the size of Y 0 is larger than K, K is used as part of Y 0 and the remaining part is filled with a constant. 

(2) An arbitrary constant is used as v 0 . 

20 

(3) The bit length of respective characters are arbitrarily set in the ranges in which they are harmonized with 
one another. 

(4) Functions other than that for encryption are used as f. 

25 (5) Part of Lj is not used to compute H, that is, this occurs when the number of subkeys k s is small and the 

bits of L j is large. 

(6) H is computed in the same manner as in the sixth embodiment. 

2Q (7) G ' s computed in the same manner as in the sixth embodiment. 

(8) As is the case with the seventh embodiment, upon each generation of one intermediate key, not on the 
generation of all the intermediate keys, the result of computation is stored in the storage part 260 in the 
corresponding bit position of k r 
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[0155] The intermediate key generation part 220, the subkey generation parts 240 and 250 may be adapted to 
be operated under program control by the computer depicted in Fig. 22. 

EFFECT OF THE INVENTION 

40 [0156] As described above in detail, according to the present invention, the data transformation device for use 
in an encryption device to conceal data is designed to simultaneously meet the requirements of security and 
speedup, thereby ensuring security and permitting fast encryption procedure without causing a significant increase 
in the number of rounds. Hence, the device of the present invention suitable for use in an encryption device of the 
common-key cryptosystem which encrypts or decrypts data in blocks using a secret key. 

[0157] Furthermore, according to the key scheduling of the present invention, even if k 6 , k 7 , k a , kg, 
k 10 and k. tl are known in the sixth and seventh embodiment, only 12bits (for example, 6th, 7th, 8th, 9th, 10th, 11th, 
22nd, 23rd, 24th 25th, 26th and 27th bits) of the respective L t components are known. Thus, the problems 
concerning the security of the key scheduling part raised in DES and the U. S. patent issued to Miyaguchi et al. 
have been solved. 



50 Claims 

1. A data transformation device which has key storage means for storing plura! pieces of key data and a plurality 
of cascade-connected round processing parts each composed of a nonlinear function part supplied with said 
plural pieces of key data to perform key-dependent nonlinear transformation, whereby input data is transformed 
to different data in dependence on key data, said nonlinear function part of each of said round processing parts 
55 comprising: 



first key-dependent linear transformation means for linearly transforming input data to said round 



processing part based on first key data stored in said key storage means; 

splitting means for splitting the output data from said first key-dependent linear transformation means to 
n pieces of subdata, said n being an integer equal to or larger than 4; 

first nonlinear transformation means for nonlinearly transforming each of said n pieces of subdata; 

second key-dependent linear transformation means for linearly transforming the output subdata from each 
of said first nonlinear transformation means based on second key data stored in said key storage means; 

second nonlinear transformation means for nonlinearly transforming n pieces of output subdata from said 
second key-dependent linear transformation means; and 

combining means for combining n pieces of output subdata from said second nonlinear transformation 
means to provide the output from said nonlinear function means; 

wherein said second key-dependent linear transformation means contains a linear transformation layer 
wherein the input thereto is transformed linearly using XORs defined by an n x n matrix. 

The data transformation device as claimed in claim 1, which further comprises: 
initial splitting means for splitting said input data into two pieces of data; 
nonlinear function means supplied with one of said two pieces of data; 

linear operation means for causing the output data from said nonlinear function means to act on the other 
piece of data; and 

final combining means for combining two pieces of data into a single piece of output data. 



The data transformation device as claimed in claim 2, which further comprises initial transformation means for 
transforming said input data and for supplying said transformed input data to said initial splitting means. 

The data transformation device as claimed in claim 2 or 3, which further comprises final transformation means 
for transforming the output data from said final combining means to provide output data from said data 
transformation device. 

The data transformation device as claimed in claim 3 or 4, wherein at least one of said initial transformation 
means and said final transformation means is key-dependent transformation means which performs 
transformation based on key data stored in said key storage means. 

The data transformation device as claimed in any one of claims 1 to 5, wherein said nonlinear function part is 
provided with third key-dependent linear transformation means for linearly transforming the output data from 
said combining means based on third key data stored in said key storage means to provide the output from said 
nonlinear function part. 

The data transformation device as claimed in any one of claims 1 to 6. wherein said first key-dependent liner 
transformation means, said second key-dependent linear transformation means and/or said third key-dependent 
linear transformation means is linear transformation means which performs fixed linear transformation. 

The data transformation device as claimed in any one of claims 1 to 7, wherein said first nonlinear 
transformation means and said second nonlinear transformation means are each provided with: means for 
splitting the input subdata thereto into two subblocks; means for performing linear transformation and nonlinear 
transformation of each of said two split subblocks in cascade; and means for combining the transformed 
subblocks from said cascade transformation means to provide transformed output subdata corresponding to 
said input subdata. 

The data transformation device as claimed in any one of claims 1 to 8 t wherein said n x n matrix is formed by 
n column vectors whose Hamming weights are equal to or larger than T-1 for a predetermined security 
threshold T. 

The data transformation device as claimed in claim 9, wherein said matrix is selected from a plurality of 
matrix candidates which provides a maximum value of n d , said n d being the minimum number of active s-boxes. 

The data transformation device as claimed in any one of claims 1 to 10, wherein said n x n matrix is a 4 x 4 



matrix. 



12. The data transformation device as claimed in claim 11, wherein said second linear transformation means is 
means which inputs thereto four data A1 t A2, A3 and A4 from said first nonlinear transformation means, 
computes 

B1 = A1©A3©A4 
B2 = A2©A3©A4 
B3 = A1©A2@A3 
B4=A1©A2©A4 



and outputs data B1, B2, B3 and B4. 

13. The data transformation device as claimed in claim 12, wherein said second liner transformation means is 
key-dependent linear transformation means, which is also supplied with key data k2=[k21, k22, k23; k24] from 
said key storage means and performs XOR operations by said key data k21, k22, k23 and k24 in the 
computations for said output data B1, B2, B3 and B4, respectively. 

14, The data transformation device as claimed in claim 11, wherein: 

said first nonlinear transformation means comprises: for four pieces of m-bit subdata in1, in2, in3 and in4 
from said splitting means, for transforming said in1 to 4m-bit data Mi1=[A1, 00...0 (2) , A1, A1]; means for 
transforming said in2 to 4m-bit data MI2=[00...0 (2) , A2, A2, A2]; means for transforming said in3 to 4m-bit 
data MI3=[A3, A3, A3, 00...0 (2 J; and means for transforming said in4 to 4m-bit data 
MI4=[A4, A4, 00... (2) , A4]; and 

said second linear transformation means is means supplied with said data MM, Ml2, MI3 and MI4 from 
said first nonlinear transformation means, for computing B=MI1©MI2©MI3©MI4 and for outputting 
B=[B1 f B2, B3, B4J. 



15. The data transformation device as claimed in claim 14, wherein said second linear transformation means is a 
key-dependent linear transformation means, which is also supplied with 4m-bit key data k2 from said key 
storage means and performs an XOR operation by said key data k2 in the computation of said B. 

16. The data transformation device as claimed in any one of claims 1 to 10, wherein said n * n matrix is an 8 x 8 
matrix. 

17. The data transformation device as claimed in claim 16, wherein said second linear transformation means is 
means which provides its eight pieces of output data B1 to B8 by obtaining four pieces of said output subdata 

B1, B2, B3 and B4 through XOR operations using six of eight pieces of subdata A1, A2 A8 from said first 

nonlinear transformation means and by obtaining four pieces of said output subdata B5, B6, B7 and B8 through 
XORing using five of said eight pieces of subdata from said first nonlinear transformation means. 

18. The data transformation device as claimed in claim 17, wherein said second linear transformation means is 
key-dependent linear transformation means, which is ' supplied with key data 

k2=[k21, k22, k23, k24, k25, k26, k27, k28] stored in said key storage means and performs XOR operations by said 
key data k21, k22, k23, k24, k25, k26, k27 and k28 for obtaining said output subdata [B1 t B2, B3, B4, B5, B6, 
B7, B8]. 

19. The data transformation device as claimed in claim 16, wherein: 

said first nonlinear means is means for transforming eight pieces of m-bit subdata in1 to in8 from said 
splitting means to eight pieces of 8m-bit data 

MI1=[00...0 (2)I A1 f A1, A1, A1, A1, 00...0 (2)J A1], 
MI2=[A2, 00...0 (2J) A2, A2, A2, A2, A2, 00...0 (2) ] 
MI3=[A3, A3, 00...0 (2) , A3, 00...0 (2) , A3, A3, A3], 
MI4=[A4, A4, A4, 00...0 (2) , A4, O0...0 (2)1 A4, A4], 
MI5=[A5, 00...0 (2) , A5, A5, A5, 00...0 (2)f 00...0 {2y A5], 
MI6=[A6, A6, 00...0 {2y A6, A6, A6, O0...0 (2) , 00...0 {2) ] 
MI7=[A7, A7, A7, 00...0 (2) , 00...0 (2) , A7, A7, 00...0 (2) ], and 
MI8=[00...0 2 A8, A8, A8, QQ...0 {2y 00.. .0 2y A8 t A8]; and 



said second liner transformation means is means supplied with said data MM to MI8 from said first 
nonlinear transformation means, for computing B=MI1@MI2©MI3©MI4@MI5©Mi6©MI7©MI8 and for 
outputting B=[B1, B2, B3, B4, B5, B6, B7, B8]. 



20. The data transformation device as claimed in claim 19, wherein said second linear transformation means is 
5 key-dependent liner transformation means, which is also supplied with 8m-bit key data k2 stored in said key 

storage means and performs an XOR operation by said key data k2 for obtaining said B. 

21. A recording medium on which there is recorded a data transformation program by which round processing 
containing noniinear function process of performing key-dependent nonlinear transformations based on plural 
pieces of key data stored in key storage means is executed a plurality of times in cascade to thereby transform 

10 input data to different data in dependent on key data, said nonlinear function process of said round processing 

comprises: 

a first key-dependent linear transformation step of linearly transforming input data to a round processing 
part based on first key data stored in said key storage means; 

15 

a splitting step of splitting output data by said first key-dependent linear transformation step into n 
pieces of subdata, said n being an integer equal to or larger than 4; 

a first nonlinear transformation step of nonlinearly transforming each of said n pieces of subdata; 

20 a second key-dependent liner transformation step of performing a linear transformation using second key 

data and output subdata by said nonlinear transformation step; 

a second nonlinear transformation step of performing a second nonlinear transformation of each of said n 
pieces of output subdata by said second key-dependent linear transformation step; and 

25 combining step of combining n pieces of output subdata by said second nonlinear transformation means 

into a single data for outputting as the result of said nonlinear function process; 

wherein said second key-dependent linear transformation step includes an XOR linear transformation step 
of performing, for the input thereto, XORing defined by an n * n matrix. 

30 22. The recording medium as claimed in claim 21, wherein said data transformation program comprises: 
an initial splitting step of splitting said input data into two pieces of data; 

a step of performing said nonlinear function process using one of said two pieces of data as the input 
35 thereto; 

a linear operation step of causing the output data by said nonlinear function processing step to act on the 
other piece of said data; and 



40 



a final combining step of combining two pieces of data into a single piece of output data. 

23. The recording medium as claimed in claim 22, wherein said data transformation program includes an initial 
transformation step of transforming said input data and supplying said transformed input data to said initial 
. splitting step. 

45 24. The recording medium as claimed in claim 22 or 23, wherein said data transformation program includes a final 
transformation step of transforming the output data by said final combining step to provide output data. 

25. The recording medium as claimed in claim 23 or 24, wherein at least one of said initial transformation step 
and said final transformation step of said data transformation program is a key-dependent transformation step 
of performing transformation based on key data. 



50 
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26. The recording medium as claimed in any one of claims 21 to 25, wherein said nonlinear function processing 
step includes a third key-dependent linear transformation step of linearly transforming the output data by said 
combining step based on third key data stored in said key storage means to provide the output of said nonlinear 
function processing step. 

27. The recording medium as claimed in any one of claims 21 to 28, wherein said first key-dependent liner 
transformation step, said second key-dependent liner transformation step and/or said third key-dependent liner' 



transformation step is a liner transformation step of performing fixed liner transformation. 

28. The recording medium as claimed in any one of claims 21 to 27, wherein said first nonlinear transformation 
step and said second nonlinear transformation step are each include: a step of splitting the input data thereto 
into two subblocks; a step of performing linear transformation of each of said two split subblocks; a step of 
performing liner transformation and nonlinear transformation of each of said two split subblocks in cascade; and 
a step of combining the transformed subblocks by said cascade transformation step into nonlinearly 
transformed output data corresponding to said input data. 

29. The recording medium as claimed in any one of claims 21 to 28, wherein said n * n matrix is formed by n 
column vectors whose Hamming weights are equal to or larger than T-1 for a predetermined security threshold 
T. 

30. The recording medium as claimed in claim 29, wherein said matrix is selected from a plurality of matrix 
candidates which provides a maximum value of n d , said n d being the minimum number of active s-boxes. 

31. The recording medium as claimed in any one of claims 21 to 30, 
wherein said n * n matrix is a 4 * 4 matrix. 

32. The recording medium as claimed in claim 31, wherein said second linear transformation step is a step of 
inputting thereto four data A1, A2, A3 and A4 by said first nonlinear transformation step, computing 

B1 =A1©A3@A4 
B2 = A20A30A4 
B3 = A10A2OA3 
B4 = A1©A2©A4 



and outputting data B1, B2, B3. and B4. 

33. The recording medium as claimed in claim 32, wherein said second linear transformation step is a key- 
dependent liner transformation step of inputting key data k2=[k21, k22, k23, k24] in said key storage means and 
performing XOR operations by said key data k21, k22, k23 and k24 in the computations for said output data B1, 
32, B3 and B4, respectively. 

34. The recording medium as claimed in claim 32 or 33, wherein: 

said first nonlinear transformation step comprises: for four pieces of m-bit subdata in1 ( in2, in3 and in4 
from said splitting means a step of transforming said in1 to 4m-bit data MI1=[A1, 00...0 (2) , A1, A1]; a step 
of transforming said in2 to 4m-bit data MI2=[00...0 (2]) A2, A2, A2]; a step of transforming said in3 to 4m- 
bit data MI3=[A3, A3, A3, 00...0 (2) ]; and a step of transforming said in4 to 4m-bit data 
MI4=[A4, A4, 00... (2)I A4]; and 

said second linear transformation step is a step of inputting said data MI1, MI2, MI3 and Ml 4 by said first 
nonlinear transformation step, computing B=MI1©MI2©MI3®MI4 and outputting B=[B1, B2, B3, B4]. 



35. The recording medium as claimed in claim 34, wherein said second linear transformation step is a key- 
dependent linear transformation step of inputting 4m-bit key data k2 in said key storage means and performing 
an XOR operation by said key data k2 in the computation of said B. 

36. The recording medium as claimed in any one of claims 21 to 30, wherein said n * n matrix is an 8 x 8 matrix. 

37. The recording medium as claimed in claim 36, wherein said second linear transformation step is a step of 
providing its eight pieces of output data B1 to B8 by obtaining four pieces of said output subdata B1, B2, B3 

and B4 through XOR operations using six of eight pieces of subdata A1, A2 A8 by said first nonlinear 

transformation step and by obtaining four pieces of said output subdata B5, B6 t B7 and B8 through XORing 
using five of said eight pieces of subdata by said first nonlinear transformation step. 

38. The recording medium as claimed in claim 37, wherein said second linear transformation step is a key- 
dependent linear transformation step of inputting key data k2=[k21. k22, k23, k24, k25, k26, k27, k28] stored 
in said key storage means and performing XOR operations by said key data k21, k22 ( k23, k24, k25, k26, k27 
and k28 for obtaining said output subdata [B1, B2 ( B3, B4, B5, B6, B7, B8]. 

39. The recording medium as claimed in claim 37 or 38, wherein: 

said first nonlinear step is a step of transforming eight pieces of m-bit subdata in1 to in8 by said 



splitting means to eight pieces of 8m-bit data 

MI1=[00...0 (2) , A1, A1, A1, A1, A1, 00...0 (2) , A1], 
MI2=[A2, 00...0 (2) , A2, A2, A2, A2, A2, 00...0 (2) ] 
MI3=[A3 t A3, 00...0 (2) , A3, O0...0 (2) , A3, A3, A3], 
MI4=[A4, A4 ( A4, O0...0 (2) , A4, 00...0 (2)( A4, A4], 
MI5=[A5, O0...0 (2) , A5, A5, A5, O0...0 (2)( O0...0 (2)) A5] f 
Mi6=[A6, A6, 00...0 (2)t A6 ( A6, A6, 00...0 (2)l 0CL.0 (2) ] 
MI7=[A7, A7, A7, 00...0 (2)I 00...0 (2)I A7, A7, 00...0 (2) ], and 
MI8=[00...0 (2)J A8, A8 t A8, 00...0 (2)f 00...0 (2)1 A8, A8]; and 



said second linear transformation step is a step of inputting said data Mil to MI8 by said first nonlinear 
transformation step, computingB=MI1@Mi2©MI3©MI4@Ml5©MI6©MI7@MI8 and outputting 
B=[B1, B2, B3, B4, B5, B6, B7, B8]. 



40. The recording medium as claimed in claim 39, wherein said second linear transformation step is a key- 
dependent linear transformation step of inputting 8m-bit key data k1 stored in said key storage means and 
performing an XOR operation by said key data k2 for obtaining said B. 

41. The data transformation device as claimed in any one of claims 1 to 20, which further comprises: 

G-function means composed of M rounds means which are supplied with a master key K and generate 
intermediate values L j+1 (j = 0, 1 M-1); 

intermediate value storage means for temporarily storing said each intermediate value Lj from seid G- 
function means; and 

H-function means equipped with a partial information extracting function of generating N subkeys from a 

plurality of L } and for storing them as said plural pieces of key data in said key storage means; 

wherein: 

said G-function means takes said master key as at least one part of Y 0t inputs Y j( and v } in the output 
(L j( Y Jf Vj) from the j-th round, into its (j+1)-th round (where j = 0, 1, M-1) diffuses the inputs and 
outputs L j+1 , Y j+1 and v j+1 ; and 

said H-function means inputs i (where i = 1, 2, N) and L v L 2 L M stored in said intermediate value 

storage means, extracts information about bit positions of subkeys k, determined by said i from said L v 
I_ M , and outputs said subkeys, said subkeys being stored in said key storage means. 

42. The data transformation device as claimed in any one of claims 1 to 20, which further comprises: 

G-function means composed of M rounds means which are supplied with a master key K and generate 
intermediate values L j+1 (j = 0, 1, ... ( M-1); 

H-function means equipped with a partial information extracting function of generating subkeys from a 
plurality of Lj generated by said G-function means; and 

intermediate value storage means for storing outputs from said H-function means as values corresponding 

to said subkeys 

wherein: 

said G-function means takes said master key as at least one part of Y 0 , inputs Y } and v j in the output 
(L j( Y jf vp from the j-th round, into its (j+1)-th round, diffuses the inputs and outputs L j+1 , Y j+1 and v j+1 ; and 

said H-function means inputs i, q and Lj (1 < i < N, 1 < j < M, 1 < q < the numbers of bits kj), and extracts 
bit position information defined by i and q from Lj to provide information about the bit position q of the 
subkeys k jf said subkeys being stored as said plurality of key data in said key storage means. 



43. The data transformation device as claimed in claim 41 or 42, wherein said G-function means comprises: 



10 



25 



30 



35 



45 



data splitting means for splitting the input Yj into two blocks (Yj L , Yj R ) and for outputting Yj L as v j+1 ; 
XOR means for computing Y j R <Bv j from said Yj R and said 

data diffusion means supplied with said Y } L and the output from said XOR means, for diffusing them and 
for outputting the result as L j+1 ; and 

data swapping means for rendering said Y* into Y jM L and said L j+1 into Y j+1 R and for concatenating said Y 
i+1 L and said V R into an output v = /v u v R\- 



44. The data transformation device as claimed in claim 41, wherein said H-function means comprises: 

bit splitting means for splitting bitwise each L } read out of said intermediate value storage means into 
15 (t/ 1 ), t/ 2 ) t j < 2N ))=L j (j = 1. 2 M); and 

bit combining means for combining the resulting (\^\ t/"* 0 , t 2 (i) , t 2 (N+i) , .... t M (i) , t M (N+i) ) and for outputting 
subkeys 

20 K = (t.to. tl (N +i , t2 (i) t2 (N*i) tj.) tM (N +i)) (i = r 2 N) . 

45. The data transformation device as claimed in claim 42, wherein said H-function means comprises: 
bit splitting means for splitting said each bitwise into 

(t/ 1 ), t/ 2 >, .... t/ 2N ))=L j (j = 1, 2 M); and 



bit combining means for combining said bits (tj (1, ( tj (2) , .... tj (2N) ) so that information about the bit position 
defined by the bit position q of k f for i becomes the bit position of kj, and for outputting subkeys 

k. = (t/o t/N+o t 2 <0 t 2 < N +o .... t M «, t M < N+i >) (i = 1, 2 N). 

46. The data transformation device as claimed in claim 41 or 42, wherein said G-function means is means for 
performing the following operation: 

For (L j+1 , (Y j+V v j+1 )) = G(Y jt Vj ) (0 < j < M-1 ), the output result 

((Y0> Y/ 2 > Y<3>, Vj )^((L(i) +v L^ v L^ v LS%J t [(*% v Y\ v Y^), v^}) 

where: 

40 y</> >1 =^^' ) )(i=1.2.3.4) 

= Vy 

L(Vi=nL (M, M)® Y(i Vi( l = 1 ' 2 ' 3 ' 4 > 

and said H-function means is means for performing the following operation: 
For k ( = H(i. L„ L 2 LJ 

^=^,0 = 0.1.2. 3) 
50 (( (0), tp\ r,< 7 >)=£7, (i = 0, 1 31) 

Vl) = (^v ( ,- 2) . ^<,•- 2 ^^^- 2 ) )(i = 0 • 1 N - 1) - 
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47. An encryption key scheduling device for scheduling subkeys from a master key. comprising: 



G-function means composed of M rounds means which are supplied with a master key K and generate 
intermediate values Lj (j = 0, 1 ( .... M-1); 

intermediate value storage means for temporarily storing said each intermediate value Lj from said G- 
function means; and 

5 

H-function means equipped with a partial information extracting function of generating N subkeys from a 

plurality of 

wherein: 

said G-function means takes said master key as at least one part of Y 0 , inputs Y and Vj in the output 

10 (L Yj, vp from the j-th round, into its 0+1)-th round (where j = 0, 1 M-1) diffuses the inputs and 

outputs L j+V Y j+1 and v j+1 ; and 

said H-function means inputs i (where i = 1. 2 N) and L v L 2 , .... L M stored in said intermediate value 

storage means, extracts information about bit positions of subkeys k { determined by said i from said L v 
15 |_ M and outputs said subkeys, 

48. An encryption key scheduling device for scheduling subkeys from a master key, comprising: 

G-function means composed of M rounds means which are supplied with a master key K and generate 
20 intermediate values L j+1 (j =0, 1, .... M-1); 

H-function means equipped with a partial information extracting function of generating subkeys from a 
plurality of Lj generated by said G-function means; and 

25 intermediate value storage means for storing outputs from said H-function means as values corresponding 

to said subkeys k^ 
wherein: 

said G-function means takes said master key as at least one part of Y 0 , inputs Y ] and v, in the output 
(L- Y- v ) from the j-th round, into its (j+1)-th round, diffuses the inputs and outputs L j+V Y j+1 and v j+1 ; and 
30 J ' J ' J 

said H-function means inputs i, q and L, (1 < i < N, 1 < j < M, 1 < q < the numbers of bits k,), and extracts 
bit position information defined by i and q from Lj to provide information about the bit position q of the 
subkeys kj. 

35 49. The encryption key scheduling device as claimed in claim 47 or 48, wherein said G-function means 
comprises; 

data splitting means for splitting the input Yj into two blocks (Yj L , Yj R ) and for outputting Yj L as v j+1 ; 
XOR means for computing Yj R ©v. from said Yj R and said Vj; 

data diffusion means supplied with said Yj L and the output from said XOR means, for diffusing them and 
for outputting the result as L j+1 ; and 

data swapping means for rendering said Yj R into Y j+1 L and said L j+1 into Y j+1 R and for concatenating said Y 
and said Y j+1 R into an output Y = (Y j+1 L , Y j+1 R )- 

The encryption key scheduling device as claimed in claim 47, wherein said H-function means comprises: 
bit splitting means for splitting bitwise each Lj read out of said intermediate value storage means into 

(tj< 1 >, l< 2 \ .... y 2N >)=Lj (j=1, 2, .... M); and 

bit combining means for combining the resulting (t^. t/ N+i) , t 2 <'>, t 2 < N+i) t M (i >, t M <N+i) ) and for outputting 

subkeys 



45 



L 

j + 1 



50 50. 



k . = ( ti w ( tl (N*i> f t2 0) ( t 2 <w» t|4 W ( t M < N +'>) (i=1, 2 N). 



51. The encryption key scheduling device as claimed in claim 48, 
wherein said H-function means comprises: 

bit splitting means for splitting said each Lj bitwise into 

t/ 2 > t/ 2N >)=L j (j = 1 t 2 M); and 

bit combining means for combining said bits (t™, lS 2 \ .... tj (2N) so that information about the bit position 
defined by the bit position q of k ( for i becomes the bit position of k i( and for outputting subkeys 

k. = (t^, t^). t 2 < N+i ) ( t M <i), t M < N+i >) (j r: 1 ( 2, .... N). 

52. The encryption key scheduling device as claimed in claim 47 or 48, wherein said G-function means is means 
for performing the following operation: 

For <L j+1 , (Y j+V v j+1 » = GtYj, Vj ) (0 < j < M-1), the output result 

((Y/D. Y/2) Y/3)), Vj }^ L% v L^ v L^,U{Yi^ v Y<*> +v W) +v Y^). 

where: 

^ 1 = ^.<";(i=1.2.3,4) ' 
L%, = i(VS>-\,)®Y%, (i = 1. 2. 3, 4) 

and said H-function means is means for performing the following operation: 

For k, = H(i, L v L 2 L M ) 

^=^^,0 = 0.1.2.3) 

(f(0), m -, tp)=q,0 = 0, 1 31) 

V^V™ ^W- 2 /--^ 1) — ,) (• -0.1 N-u. 



53. A recording medium on which there is recorded a program for a computer to implement an encryption key 
scheduling device which inputs a master key K and generates therefrom a plurality of subkeys k f (i = 1, .... N) 

, said program comprising: 

an intermediate key generation process in which said master key K as Y 0 and a constant v 0 are input, 
diffusion processing of said inputs is repeated in cascade a plurality of times and an intermediate 
value Lj (j = 1, 2, .... M) is output for each diffusion processing; 

a process of storing said intermediate key in a storage part; and 

a subkey generation process in which, upon storage of a part predetermined number of intermediate value 
L n to L M in said intermediate value storage part a process in which information about bit positions of 
subkeys k 4 determined by i from said to L M is extracted and said subkeys k s are generated. 

54. A recording medium on which there is recorded a program for a computer to implement an encryption key 
scheduling device which inputs a master key K and generates therefrom a plurality of subkeys K, (i = 1 N) 

, said program comprising: 

an intermediate key generation process in which said master key K as Y 0 and a constant v 0 are input, 
diffusion processing of said inputs is repeated in cascade a plurality of times and an intermediate 
value L.(j = 1,2 M) is output for each diffusion processing; 



a process in which, upon each generation of said intermediate value L j( information about the bit position 
of said Lj defined by i of said subkeys kj and the bit position q of said k,is extracted as bit position 
information for said k f and is stored in an intermediate value storage part; and 

a process in which, upon determination of the information about each bit position of each of said 
subkeys k s in said storage part, said subkey k ; is output. 
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